If you’re a business that processes customer data in any respect, you may need a GDPR representative.
According to the Information Commissioner’s Office (ICO), if you’re a UK-based business and offer goods or services to individuals within the EEA or monitor the behaviour of individuals in the EEA in any way shape or form, then you still need to comply with the EU GDPR in respect to data processing.
The UK GDPR has supplanted the duty for businesses that are public authorities or public bodies and use data processing to appoint a data protection officer (DPO). On top of this, organisations that wish to operate and who are involved in data processing activities need representation in both territories—by law.
Since you do not have a base inside the EEA, the EU GDPR requires you to appoint a representative in the EEA. They will need to be set up in an EU or EEA state where some of the personal data you’re processing is located. And you must authorise this representative, in writing, to act on your behalf in terms of your EU GDPR compliance. In this respect, they will also deal with any supervisory authorities or data subjects.
GDPR law and compliance behind processing data
Even though your GDPR representative will work on your behalf, deal with the fine details and relay back to you any important information regarding data processing, it’s still a good idea to understand the law and compliance behind processing customer data in regards to GDPR regulations.
GDPR is a strong set of data protection rules that prioritises individual’s rights over corporations in regards to their consent, control and data activities held by businesses. This includes even the most basic data (information) about an individual that businesses collect, such as names, location data or even a username.
Personal data must be protected against unlawful processing, as well as loss and damage. And businesses require consent and give people the ability to withdraw, request and delete their personal data at any time.
Why do I need a GDPR representative and what do they do?
You need an EU Data Representative if you don’t have an office in the EU but process large amounts of data from EU data subjects (persons and individuals) or if you process special categories of data.
According to Article 27(3) of EU GDPR regulations, these data representatives are:
- Nominated by the controller or processor to be addressed in addition to the controller of the processor by EU regulatory bodies.
- Established in a member state where you process or monitor personal data.
A GDPR data representative performs several important functions on your behalf beyond being a named point of contact between yourself and EU regulators. They also:
- Act on your behalf, for your benefit, with supervisory authorities.
- Help you to meet Article 30 requirements (record of processing activities (ROPA)).
- Supply you with any updates, revisions and new readings of the GDPR rules as they apply to your business.
- Make records available to supervisory authorities.
Your GDPR representative acts as your public face in the EU. As a business, you benefit from having a GDPR representative in that they’re a fast contact point for international bodies to get in touch with. They work on your behalf. They will provide you will timely updates about EU law and the regulatory authorities can bring proceedings against the representative—instead of yourself—for any breaches you’ve committed.
What happens if GDPR regulations are breached?
Failing to comply with GDPR regulations can prove devastating for businesses, corporations and organisations.
Not adhering to or breaking any rules within the stringent GDPR regulations can mean facing massive fines. There are two tiers of fines for businesses that violate GDPR regulations. Companies that breach regulations face a maximum penalty of €24 million ($23 million) or 4% of their annual global turnover (whichever the great). The second tier means Infractions can hit €10 million ($12 million) or 2% of annual turnover. Authorities can also issue public reprimands or place restrictions upon such businesses, rather than issue fines.
If you’re a business that processes large amounts of data but doesn’t have a base in the territories where you do so, then you require a GDPR representative. GDPR regulations can be stringent, and arduous and it can be easy to accidentally breach them. Having a GDPR representative will give you a physical presence within the territories you’re operating in and make sure you remain on the right side of the law. They will act as a point of contact and reference, dealing with any issues that arise on your behalf and help minimise potential headaches.