GDPR was implemented in 2018, while the UK was still part of the EU. But since the UK left the EU and broke away from all EU laws on 1 January 2020, the UK government had an obligation to furnish businesses with necessary updates regarding GDPR. And in terms of data protection laws and regulations, the UK introduced its own version, the UK GDPR, which carried over from the GDPR laws introduced by the EU but tailored for the UK and UK businesses.
The implementation of UK GDPR has seen some big changes since the split—especially for businesses that operate and handle data within the EU. UK businesses now need separate representatives in both territories. They need a representative in the EEA (European Economic Area) and EEA organisations also need a representative in the UK. These are also known as GDPR representatives.
In this article, we’re going to cover GDPR, what GDPR representatives do, when businesses need a GDPR representative and whether or not DPOs (Data Protection Officers) can act as a representative.
GDPR refers to data protection regulations that were brought into law by the EU back in 2018. These new regulations sought to put individuals and individual rights before companies in a world increasingly data obsessed.
The GDPR regulations replaced the Data Protection Directive (DPD) and the UK Data Protection Act of 1998. With GDPR, data is viewed as a human right that must be protected from exploitation. The main goal of GDPR is to protect personal data and the rights of the individuals whose data is being collected, processed and stored by businesses. It allows for transparency and gives individuals more rights and control over their data.
The job of a GDPR representative is to act on behalf of businesses with respect to GDPR within the EU. The appointed party, which can be an individual, a company or an organisation established in the EEA, must be able to represent you in regard to your obligations under GDPR. They act as direct contact between your organisation, data subjects and regulatory authorities. They’re the voice of an organisation in regards to everything GDPR. They can also receive legal documents on your behalf.
The main tasks of GDPR representatives include:
- Responding to enquiries supervisory authorities or data subjects have concerning data processing.
- Receiving legal documents for the company as their authorised agent and maintaining records of data processing activities.
- Creating data processing records available to supervising authorities when required.
- Being subject to enforcement proceedings if an organisation is non-compliant with GDPR regulations.
Businesses are required to have a GDPR representative when they collect, process or store the data of individuals on a large scale within the EU if they do not have a physical presence there.
Article 27 of the GDPR states an EU representative is required for all non-European companies that handle the information of EU data subjects but do not have a physical presence in any of the member states which make up the EU. Businesses don’t require GDPR representatives if they’re a public authority or processing only occasionally with low-risk data, however.
You’ll need to authorise the representative in writing to act on your behalf in regards to your GDPR compliance and dealing with supervisory authorities or data subjects. Your business will need to give details of your representative to EEA-based individuals whose personal data you process. You must be open and transparent. This can be done simply by including them in your privacy notice or by telling them upfront when you collect their data—whether that’s by email collection or other means.
And if it is that you need a GDPR representative, you must also make them easily accessible to the supervisory authorities. This can be done simply by publishing their details on your website.
Technically, there’s nothing prohibiting an individual from fulfilling both roles for an organisation. But they are two distinct roles and it’s the responsibility of individual businesses to ensure a DPO does not take on tasks that may result in a conflict of interest. In all likelihood, a conflict of interest would likely arise, especially around confidentiality. An EU representative serves as a contact between an organisation and its data subjects, while a DPO is responsible for assisting a business in monitoring internal compliance and informing and advising them on their data protection obligations.
A DPO playing both roles, for example, may find themselves conflicted when they receive concerns from data subjects and are tasked with the obligation to make sure the organisation is compliant with GDPR. With this in mind, although it’s technically possible, it’s better if your business keeps both roles separate.