GDPR – Onboarding Process

How to Onboard Your GDPR Article 27 Representative

You’re based outside the EU or UK and you’re processing the data of EU or UK citizens. You know you need an Article 27 EU/UK representative to comply with data protection laws. But how do you go about bringing one onboard?

When it comes to GDPR Article 27, it seems there are two types of company: ones who’ve never heard about Article 27, and those who know about it but don’t know how to make it a part of their organisation. Let’s take that first group for starters…

What is GDPR Article 27?

Everyone who processes the data of EU or UK citizens is bound by the GDPR. It doesn’t matter whether you’re operating within the UK or EU, or whether you’re based in Algeria, Albania or Argentina, if you process the data of citizens within GDPR-affected territories, you’re bound by the GDPR. GDPR requires anyone dealing with that data to have a representative entity within an EU or UK country.

The representative acts as a liaison between your company, the EU/UK authorities and your data subjects, and ensures the company’s compliance with GDPR policies.

You might already have a division of your company in London, Lisbon, Liverpool or Lille, in which case they may be able to act as your data representative in the EU or UK.  But what if you don’t?

That’s where the GDPR regulations require you to hire an Article 27 representative. If you are based in the EU and process the data of UK citizens, you’ll need a UK GDPR representative. If you’re based in the UK and want to process the data of EU citizens, you’ll need a GDPR Article 27 EU representative.

If you’re base outside both the EU and UK and process the data of citizens of both territories, you’ll need a GDPR representative for both areas. 

You can find much more about when you do and don’t need an Article 27 representative here

How do you find an Article 27 Representative?

The data protection regulations tend to talk about appointing Article 27 representatives as if there are offices of them on every high street. Of course, that’s not the case.

Fortunately, GDPR Local is the hub where the world’s data protection consultants come together. You can find your Article 27 EU or UK rep there.

Find out more about the GDPR Local Consultancy Panel 

How do you become GDPR verified?

Your representative is there to ensure you comply with GDPR data privacy rules, so you’ll want to complete a compliance audit to demonstrate you meet your GDPR obligations. 

Becoming GDPR verified sounds rather daunting, but don’t worry – your representative will help guide through the entire process.

You’ll start with a Written Agreement which lays out the rights, responsibilities and obligations of both parties involved. This agreement acts as a blueprint for the entire business relationship, providing clarity and protection for all parties involved.

With the Written Agreement signed, you’ll have five documents to upload. These are:

Privacy policy: A document detailing what personal information your company collects, how it’s collected, stored and used, as well as steps taken to protect its security and individual’s rights.

Subject Access Request document: This specifies the response requirements to a request by a data subject. It includes time frame, information provided and dispute handling procedures, and ensures a consistent and compliant handling of SARs.

Data breach handling process: A document that provides guidance on detecting, responding and containing a breach, and minimizing damage. It outlines individual roles in handling the breach, a communication plan, reporting procedure, and future prevention steps.

Process and data definition document: This document outlines your processes for collecting, storing, processing, and using personal data. It defines data types, use, retention and access, and specifies security measures and individual rights.

Information security policy: A document outlining your company’s approach to protecting confidential information, defining secure measures and personnel responsibilities.

How to access data compliance audit documents

You can buy the entire bundle from us when you create your account. Do that now

Getting verified

With your documents uploaded, our compliance executive will conduct a thorough review. If there are any issues, they’ll give you guidance on ensuring the documents are in compliance with the GDPR.

If all is in order you’ll receive a badge and code (via the portal) that you can add to your website, indicating you have undergone a compliance audit and appointed an Article 27 representative.

Building the relationship with your Article 27 representative

With your representative appointed and your GDPR compliance verified, you’ll be able to tap into the knowledge and experience of your representative whenever you need, and dial up or down the level of GDPR support and consultancy you receive whenever you need to.

Find your Article 27 EU/UK rep now, or for questions about your next steps, talk to us.