How can we help you?

All companies without offices in the EU and/or UK will need to appoint an Article 27 GDPR Representative, if they process personal data of individuals that are located in the EU/UK.

EU companies without offices in the UK will need to appoint an GDPR Representative in the UK if they process personal data of individuals that are located in the UK.

UK companies without offices in any EU member states will need to appoint an EU GDPR Representative if they process personal data of individuals that are located in the EU.

These legal requirements apply to almost all companies including financial, business and legal services, online retail, marketing and adtech products, technology, transportation and aviation, clinical trials, health and diagnostic services, cookie-based advertisement, as well as digital services, such as mobile apps and online communities.

The EU Representative is mandated by the data controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to [data] processing. The Representative acts as a local point of contact for matters of data protection and privacy, and receives communications from data protection supervisory authorities in official proceedings, as well as, for example, requests from data subjects to exercise their GDPR rights.

The contact details of your Article 27 Representative must be published in your company privacy policies. We also recommend that you add our details to your website footer and in any relevant documentation.

As your Article 27 Representative we need to complete our due-diligence and ensure we understand how you collect, store, and process data. We need to keep a copy of the company’s record of processing activity spreadsheet along with other key documents to help us understand how you operate. Upon request of a supervisory authorities, the Representative must cooperate with them and disclose the Article 30 documentation.

No, failure to appoint an EU Rep would be a breach of Article 27 of the GDPR and carries the same potential penalties.

Providers of AI systems/models from third countries (outside the EU).

High-risk AI systems or general-purpose AI models.

Free and open-source general-purpose AI models unless they pose systemic risks.

The end date for general-purpose AI models is August ‘25 and for high risk AI models is August ‘26.

Appointing an AI Authorized Representative (AR) before the mandatory deadline provides a strategic advantage by allowing you to organize your documentation and perform thorough risk assessments ahead of time. This proactive step not only ensures you're fully prepared when the deadline arrives but also helps you avoid potential disruptions. By acting early, you demonstrate a commitment to responsible AI and gain a competitive edge in meeting the AI Act's requirements. Additionally, this early appointment gives us ample time to review your documentation and offer timely, valuable insights to help you navigate registration requirements smoothly.

The role of an AI Authorized Representative (AR) is to serve as the EU-based point of contact for authorities, providing necessary information on the compliance of high-risk AI systems from providers outside the Union. Before these systems can be made available in the EU, the representative, appointed by written mandate, acts as the intermediary, making sure that AI providers meet regulatory requirements and maintain a level playing field for operators within the Union. Recital 82

The actual costs depends on the complexity of the AI system, the nature of the data processed, and the existence of existing compliance documentation or a Conformity Assessment. We offer a free risk assessment service to allow us to give you an accurate cost for the initial assessment, document storage, and ongoing representation. Assessments are totally free.

Currently, there is no specific requirement mandated by the EU AI Act for publishing AI Representative details.Accordingly, the contact details of your AI Authorized Representative (AR) can be published in your company privacy policies. We also recommend that you add our details to your website footer and in any relevant documentation. You will also receive a representative certificate and formal mandate to confirm that we have been appointed as your Representative.

As your AI Authorised Representative (AR) under Article 22 and 54, we need to fully understand your AI system by reviewing essential documentation, including a written mandate, proof of identity, and detailed technical and risk assessment reports. This information enables us to evaluate your system's alignment with EU regulations, identify potential risks, and ensure proper legal protections through data processing agreements and insurance coverage. With this documentation, we can effectively support your AI system's adherence to EU requirements.

No, where a Representative is required failure to appoint an AI Authorized Representative (AR) would be a breach of the AI Law and carries the same potential penalties.

Use the Contact Us form below or simply email us at: [email protected] and we’ll walk you through the steps and arrange your free risk assessment meeting.

We can offer you services like:

• AI compliance Hub (1 hour AI consultancy per month)
• AI Risk Assessment (Assess the risk of your AIsystems/Models)
• AI Governance (Implement AI Governance Framework - AI Strategy, AI Policy, Risk management Framework…)
• AI Representative (if you are a non EU provider of high risk AI system or general purpose AI model, we can represent you on the EU market)

Determining if the AI Act applies to your system requires an assessment. We can help you conduct a comprehensive analysis to identify potential regulatory obligations. Key factors include:

• The intended use of the AI system.
• The level of risk posed to individuals or society.
• Whether the system falls under specific categories defined by the AI Act.
• Where the AI system will be used and who is affected by the AI system.

Our AI Act risk assessment process involves:

• System Mapping: Identifying the components and functionalities of your AI system.
• Risk Identification: Identifying potential harms that the system could cause.
• Risk Assessment: Evaluating the likelihood and severity of identified risks.
• Mitigation Planning: Developing strategies to mitigate identified risks.
• Documentation: Creating a comprehensive risk assessment report.

We use a variety of established risk assessment methodologies, including ISO RMF 100.1, HUDERIA, FRIA, Algorithm AI Assessment, and others.

The AI Act's compliance timeline is phased. Some provisions will take effect earlier than others. We can provide a detailed breakdown based on your specific AI system. Key dates to consider include:

• February 2025: Certain prohibitions, definitions, and AI literacy provisions apply.
• August 2025: Rules for governance and obligations for general-purpose AI become applicable.
• August 2026: Obligations for high-risk AI systems apply.

Yes, we can assist in developing a robust AI governance framework tailored to your organization.
Our services include:

• Policy Development: Creating comprehensive AI policies and guidelines.
• Risk Management: Implementing effective risk management practices.
• Ethical Framework: Establishing ethical principles for AI development and use.
• Compliance Monitoring: Ensuring ongoing adherence to regulations.
• Stakeholder Engagement: Building trust and transparency with stakeholders.

The EU AI Act imposes significant penalties for non-compliance. The severity of the penalty depends on the nature of the infringement.
Key Penalties:

• Non-compliance with prohibitions: Up to €35 million or 7% of total worldwide annual turnover for the preceding financial year, whichever is higher.
• Non-compliance with other requirements: Up to €15 million or 3% of total worldwide annual turnover for the preceding financial year.
• Providing incorrect or misleading information: Up to €7.5 million or 1.5% of total worldwide annual turnover for the preceding financial year.

These are maximum penalties, and the actual fine will depend on the severity of the infringement.

Member states will be responsible for setting specific penalties within these limits.

SMEs may be subject to lower penalties.

A conformity assessment is a process required under the EU AI Act to ensure that high-risk AI systems (HRAIS) comply with specific legal requirements before being placed on the EU market or used in the EU.
The key steps include:

• Risk Management System: Establishing and maintaining a system to manage risks throughout the AI system's lifecycle.
• Technical Documentation: Developing and implementing detailed technical documentation for the AI system.
• EU Declaration of Conformity: Preparing and submitting this declaration to confirm compliance.

There are two main methods for conducting conformity assessments:

• Internal Conformity Assessments: Conducted by the provider, relying on established quality management systems and technical documentation.
• Third-Party Conformity Assessments: Required for certain high-risk systems like those involving biometric data, and conducted by a notified body, which is a designated third-party entity.

Non-compliance can result in fines, market restrictions, product recalls, and reputational damage.

The AI Act is a regulatory framework by the European Union (EU) that aims to establish rules and standards for the development, deployment, and use of artificial intelligence (AI) within the EU. Officially known as the "Artificial Intelligence Act," it seeks to ensure that AI systems are safe, transparent, and respect fundamental rights.
The Act takes a risk-based approach, categorizing AI systems into different levels of risk:

• Unacceptable risk: Certain AI applications, such as those that manipulate people's behaviour or exploit vulnerabilities, are outright banned.
• High risk: AI systems used in critical infrastructure, education, employment, law enforcement, and other areas with significant impact on people's lives are subject to strict regulations, including conformity assessments.
• Limited risk: Certain AI systems, like chatbots, must disclose their AI nature to users.
• Minimal or no risk: Most AI applications fall into this category and face few to no regulations.

TYes - all out AI experts have appropriate training and certification including AIGP through IAPP.

The EU AI Act is set to significantly impact businesses operating within or targeting the EU market.
The main steps that companies should make would be:

• Understanding Your AI Systems
• Establish Ethics Framework/Data Governance/Transparency and explainability/Human Oversight
• Compliance Roadmap
• Actions Based on AI System Risk
• Continuous Monitoring and Adaptation

We offer a range of services from simple compliance queries, helping manage a single data protection complaint, supporting clients responding to a due-diligence request through to complete compliance implementation programmes. We provide full DPO services, consultancy, training, documentation, emergency response support, and of course support for companies facing a Regulator investigation. We have many years experience in all aspect of data protection and can help with any issue.

If you collect, store or process data relating to a person living in the UK or EU then GDPR will apply. There are very few exceptions. In addition to GDPR other local regulations may apply, often with more stringent obligations than GDPR. Contact us anytime for a free consultation.

Data protection frameworks are being adopted by countries across the world. The data protection landscape is complex and changing rapidly. You will need to comply with all applicable regulations, this will depend on the nature of your system, the data you process, the location of your data subjects and even potentially your choice of partners, third-parties, and suppliers. The short answer if that you need to comply with all applicable regulations. Contact us anytime to discuss.

We can help with all data protection frameworks. Our team of global data protection consultants have experience in all frameworks with all types of companies across the world. We can help with any standard, any issue, any request.

Yes, we offer a range of services from initial assessment through to ongoing compliance Governance. We have developed a number of governance frameworks to ensure our clients meet their compliance obligations now and into the future.

Penalties vary depending on the nature of the breach, the jurisdiction, and the Regulator or Supervisory Authority involved. Fines are designed to be punitive so always best avoided however reputational damage and business disruption are often more significant and can have longer term impact.

Our well worked compliance approach ensures we address all aspects of GDPR and is designed to ensure you meet your ongoing compliance due-diligence requirements. Our approach keeps you fully compliant with GDPR and makes sure you stay on top of all your ongoing data protection responsibilities.

The DPO service costs £150 per hour, and we usually recommend 6 to 8 hours to cover your needs effectively. This ensures you get thorough support while maintaining flexibility based on your specific requirements.

We have 15 certified DPOs on our team, all of whom hold law degrees and specialize in data protection. Their expertise ensures that your organization’s data protection is handled with the highest level of professionalism and legal knowledge.

A Data Protection Officer (DPO) is responsible for overseeing the organization’s data protection strategy and ensuring compliance with GDPR requirements. They monitor data processing activities, provide guidance on data protection impact assessments, and act as the main point of contact between the organization and regulatory authorities. Additionally, the DPO is tasked with educating staff on data protection obligations and handling any inquiries or complaints regarding data privacy.

Compliance Hub provides you with access to a dedicated compliance portal where you can select one of our expert GDPR and Data Protection specialists. They assist with everything from updating documentation to handling complex data protection issues, including data breaches and regulator investigations.

Yes, we have an online portal that is both modern and user-friendly. It is designed to streamline your compliance processes and provide easy access to all necessary resources. Our portal ensures a seamless experience for managing your data protection needs efficiently.

The cost of our services varies depending on whether you choose a monthly retainer or a bespoke GDPR project. For detailed pricing information and to find the best option for your needs, please contact us directly. We’ll be happy to provide a tailored quote based on your specific requirements.

This service is designed to meet the Swiss Data Protection Representative service which is an obligation under Article 14 of the Federal Act on Data Protection in Switzerland (FADP) with effect from 1st September 2023.

You are only required to appoint a Data Protection Representative in Switzerland if the following ALL apply:

• Your organisation processes the personal data of individuals in Switzerland
• Your organisation has no domicile in Switzerland
• Your organisation is a data controller (and not a data processor)
• The data processing undertaken on the personal data of individuals in Switzerland is connected with the offer of goods or services or the monitoring of the behaviour of persons in Switzerland
• The data processing is on a large scale
• The data processing is carried out regularly
• The data processing poses a high risk to the personality of the data subjects

Because of the nature of the Swiss Representative role compared to that under GDPR, this package is relevant no matter how many Swiss data subjects you process personal data for, and whether or not you process special category personal data (e.g. medical, ethnicity, religion, criminal convictions etc) for them.

All companies without offices in Switzerland may need to appoint a Representative, if they process personal data of individuals that are located in Switzerland.

This legal requirements apply to almost all companies including financial, business and legal services, online retail, marketing and adtech products, technology, transportation and aviation, clinical trials, health and diagnostic services, cookie-based advertisement, as well as digital services, such as mobile apps and online communities.

The Representative is mandated by the data controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, the supervisory authority and data subjects, on all issues related to [data] processing. The Representative acts as a local point of contact for matters of data protection and privacy, and receives communications from the data protection supervisory authority in official proceedings, as well as, for example, requests from data subjects to exercise their data protection rights.

The contact details of your Representative must be published in your company privacy policies. We also recommend that you add our details to your website footer and in any relevant documentation.

As your Representative we need to complete our due-diligence and ensure we understand how you collect, store, and process data. We need to keep a copy of the company’s record of processing activity spreadsheet along with other key documents to help us understand how you operate. Upon request from the regulator the Representative must cooperate with them and disclose required documentation.

No, failure to appoint a SwissRep would be a breach of regulations and carries potential serious penalties.