6 min read

Writen by Zlatko Delev

Posted on: March 14, 2023

GDPR – Onboarding Process

How to Onboard Your GDPR Article 27 Representative

You’re based outside the EU or UK and you’re processing the data of EU or UK citizens. You know you need an Article 27 EU/UK representative to comply with data protection laws. But how do you go about bringing one onboard?

When it comes to GDPR Article 27, it seems there are two types of company: ones who’ve never heard about Article 27, and those who know about it but don’t know how to make it a part of their organisation. Let’s take that first group for starters…

What is GDPR Article 27?

Everyone who processes the data of EU or UK citizens is bound by the GDPR. It doesn’t matter whether you’re operating within the UK or EU, or whether you’re based in Algeria, Albania or Argentina, if you process the data of citizens within GDPR-affected territories, you’re bound by the GDPR. GDPR requires anyone dealing with that data to have a representative entity within an EU or UK country.

The representative acts as a liaison between your company, the EU/UK authorities and your data subjects, and ensures the company’s compliance with GDPR policies.

You might already have a division of your company in London, Lisbon, Liverpool or Lille, in which case they may be able to act as your data representative in the EU or UK.  But what if you don’t?

That’s where the GDPR regulations require you to hire an Article 27 representative. If you are based in the EU and process the data of UK citizens, you’ll need a UK GDPR representative. If you’re based in the UK and want to process the data of EU citizens, you’ll need a GDPR Article 27 EU representative.

If you’re base outside both the EU and UK and process the data of citizens of both territories, you’ll need a GDPR representative for both areas. 

You can find much more about when you do and don’t need an Article 27 representative here

How do you find an Article 27 Representative?

The data protection regulations tend to talk about appointing Article 27 representatives as if there are offices of them on every high street. Of course, that’s not the case.

Fortunately, GDPR Local is the hub where the world’s data protection consultants come together. You can find your Article 27 EU or UK rep there.

Find out more about the GDPR Local Consultancy Panel 

How do you become GDPR verified?

Your representative is there to ensure you comply with GDPR data privacy rules, so you’ll want to complete a compliance audit to demonstrate you meet your GDPR obligations. 

Becoming GDPR verified sounds rather daunting, but don’t worry – your representative will help guide through the entire process.

You’ll start with a Written Agreement which lays out the rights, responsibilities and obligations of both parties involved. This agreement acts as a blueprint for the entire business relationship, providing clarity and protection for all parties involved.

With the Written Agreement signed, you’ll have five documents to upload. These are:

Privacy policy: A document detailing what personal information your company collects, how it’s collected, stored and used, as well as steps taken to protect its security and individual’s rights.

Subject Access Request document: This specifies the response requirements to a request by a data subject. It includes time frame, information provided and dispute handling procedures, and ensures a consistent and compliant handling of SARs.

Data breach handling process: A document that provides guidance on detecting, responding and containing a breach, and minimizing damage. It outlines individual roles in handling the breach, a communication plan, reporting procedure, and future prevention steps.

Process and data definition document: This document outlines your processes for collecting, storing, processing, and using personal data. It defines data types, use, retention and access, and specifies security measures and individual rights.

Information security policy: A document outlining your company’s approach to protecting confidential information, defining secure measures and personnel responsibilities.

How to access data compliance audit documents

You can buy the entire bundle from us when you create your account. Do that now

Getting verified

With your documents uploaded, our compliance executive will conduct a thorough review. If there are any issues, they’ll give you guidance on ensuring the documents are in compliance with the GDPR.

If all is in order you’ll receive a badge and code (via the portal) that you can add to your website, indicating you have undergone a compliance audit and appointed an Article 27 representative.

Building the relationship with your Article 27 representative

With your representative appointed and your GDPR compliance verified, you’ll be able to tap into the knowledge and experience of your representative whenever you need, and dial up or down the level of GDPR support and consultancy you receive whenever you need to.

Find your Article 27 EU/UK rep now, or for questions about your next steps, talk to us.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

ISO 27001 Controls: A Comprehensive Step-by-Step Guide

Organisations in today's world filled with technology require a good information security setup and

Comparing Information Security Frameworks and Data Protection Frameworks

With cyber threats evolving at an unprecedented rate and regulations tightening globally, understan

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy