In my previous blog, “
GDPR 101: What’s a Data Protection Representative?” I provided guidance from Tim Bell, managing director of
DPR Group, about the responsibilities of the data protection representative (DPR), a role required by Article 27 of the EU’s General Data Protection Regulations (GDPR). In this blog, Tim answers my questions about how to comply with Article 27. (DPR Group provides EU representative services in all 28 EU member states.)
Does the DPR have to be an employee or can a third party act as the DPR?
It’s unlikely that the DPR will be an employee of the data controller/processor required to appoint one. Because the representative must be in the EU, and is only required where a company has no establishment in the EU, the company in need of a DPR is unlikely to have anyone located in the EU. It’s anticipated that the role of the EU representative, or DPR, will mostly be taken up by specialist companies. Traditional advisors like law firms will generally resist accepting this role, as they won’t be comfortable with the liability it attracts -- the courts can look through corporate structures in an effort to recover sums from group parent companies.
What experiences have DPRs had since GDPR started last year?
EU representatives have seen a slightly slower-than-anticipated take-up of the service in the first year or so since GDPR became enforceable. I believe that this is mostly due to a lack of knowledge. The companies that are going to need an EU representative are mostly in the SME market. Global companies (those that have an EU establishment and therefore don’t need an EU representative), may not have a large compliance function and may simply prepare based on materials obtained online. Online GDPR materials are usually designed with an EU audience in mind and, as a result, don’t mention the EU representative requirement. EU-based companies don’t need one either.
I’ve also heard anecdotal evidence that some companies are taking a wait-and-see approach, either to the representative requirement or GDPR as a whole -- waiting to see if the potentially large fines ever materialize. Needless to say, I don’t recommend this approach! Although the large tech companies are the most visible, smaller companies are also being fined under GDPR as a result of the complaints of individual data subjects to the EU data protection authorities. Those authorities are required to follow up on a complaint made by an EU-based individual. Any company could find itself under the EU microscope.
In respect to the operations of managing communications, we saw a large spike in data subject requests in May 2018, when GDPR first became enforceable. Those then dropped off, and we’re now seeing a month-on-month gradual increase for those communications, as more people become aware of (and seek to exercise) their GDPR rights.
How will Brexit affect the EU representative role?
Because of the way the U.K. has incorporated GDPR into local law, Brexit will cause a few changes for companies outside the EU. GDPR-equivalent laws have been put in place in the U.K., creating the new role of U.K. representative. This role is required by a company that sells into (or monitors people in) the U.K. but has no U.K. establishment (essentially, the same as required for companies selling into the EU from outside). A non-EU, non-U.K. company that sells into both markets would now be required to appoint both an EU representative and a U.K. representative.
Companies that have avoided the need for an EU representative because of a U.K. office will now find that they no longer have an EU establishment. Because their U.K. offices will no longer count, they’ll need to appoint EU representatives. Likewise, if they’re relying on offices in other EU countries (e.g., Ireland, France, or Germany) they may need to appoint U.K. representatives.
Please be aware the above only applies in the event of a ”no-deal” Brexit. If a withdrawal agreement is agreed upon between the U.K. and EU, there’ll likely be a transition period -- probably until the end of 2020 -- during which the requirements discussed above aren’t necessary.