The UK and EU are fast drawing to the end of the Brexit transition period. But with the terms of the UK's withdrawal from Europe still unclear, what does it mean for UK and EU organisations doing business in each others territory? And in particular , the need to appoint a Data Representative ?
From the end of the transition period and on 1st January 2021 , the General Data Protection Regulation ( EU) 2016/679 will have effect as UK law.
This has now brought into play the concept of 'dual representation'. UK controllers or processors who will be continuing to offer goods and services to individuals living in a member state of the EU may need to appoint an EU Representative. Similarly, EU controllers or processors who will be carrying on sales and commercial activities geared to individuals resident in the UK may need to appoint a UK Representative.
The legal requirement to appoint a GDPR Representative stems from the provisions of Article 27 of the EU GDPR. Almost every commercial organisation will need to consider the appointment of a GDPR Representative unless their processing activities are 'occasional', do not include large scale processing of special category data or criminal convictions or where the processing is unlikely to result in a risk to an individual's rights and freedoms.
GDPREP.ORG has received many requests for help from businesses in the UK , Europe and around the world wanting to know and understand when and how they should engage a GDPR Representative post Brexit.
The following 'Tips' may just help:
1. Ensure the appointment of your GDPR Representative is in writing supported by an appropriately drafted ' service contract' setting out the scope of the representative's service.
2. Understand the mutual roles, responsibilities and obligations that exist between you and your GDPR Representative. For example, your representative should be the point of contact and communication between the individuals whose personal data you process so as to ensure an individual's data protection rights are effective and are capable of being answered . But at the same remember , it's you and not your GDPR Representative that is primarily responsible for complying with a data subject's rights under the GDPR.
3. Don't appoint a GDPR Representative who is also acting is offering to act as your Data Protection Officer. Both roles are not compatible with the other and would result in a conflict of interest .
4. Understand it is you and not your GDPR Representative that is responsible for maintaining an up to date record of your processing activities ( 'ROPA') but it's your representative's responsibility for being able to provide on request a ' living record' of your processing activities 'which contains all the necessary information as required by Article 30 of the GDPR to a Supervising Authority.
6. Lastly, don't allow your processor to act as your GDPR Representative. Your processor has other non compatible obligations which would conflict with the role and responsibilities of your representative.
GDPREP.ORG offers affordable fixed fees in providing EU and UK GDPR Representation . For further information contact: firstname.lastname@example.org