Does your business really need to be compliant with GDPR Article 27? If so, how do you achieve it? Our GDPR experts explain everything you need to know.
If you’re a UK business trading with Europe, you may find that GDPR leaves you scratching your head. How can we be bound by an EU law when we left the EU? Allow us to explain.
In 2016, the UK voted to leave the EU. We didn’t leave immediately. There was a transitional period to allow everyone to get their house in order. In 2018, when GDPR came into force, we were still in the transitional period, which meant that GDPR applied to us. As part of our Brexit implementation arrangements, we incorporated the GDPR into UK law under the Data Protection Act 2018. This was effectively a carbon copy of the EU GDPR so that, when the UK formally left the EU at the very end of 2020, we still had a data protection law to call our own.
You might think that the EU version of the GDPR ceased to apply to us at that point – and it did, with the exceptions of Articles 3 and 27.
Article 3 is crucial because it established that the EU GDPR applies to anyone processing the data of EU residents, wherever the data processor is. From Uruguay to Uzbekistan to the UK, if you process the data of residents of the EU, you are bound by the EU GDPR.
Of course, saying the entire world is subject to the EU GDPR is easy. Giving such a regulation teeth when a company doesn’t have an office, store or other presence on the ground in the EU is another matter. That’s the purpose of Article 27. Article 27 is how the EU ensures that the world takes the regulation seriously.
GDPR Article 27 states that businesses outside the EU that offer goods or services to individuals within the EU (or otherwise monitor their behaviour) must appoint an EU GDPR representative.
The representative must be an individual or an organisation established in one of the EU member states where the data subjects reside. If you process the data of lots of EU residents in lots of member states, you still only need one EU representative for GDPR Article 27.
With your GDPR rep, your company has an expert point of contact to manage (and translate) communications between your business, EU data subjects, and supervisory authorities regarding data protection matters. They keep records of your data processing activities on your behalf. They help ensure you prepare for changes in EU law and ensure you stay compliant. They help you manage requests from data subjects, and if you ever suffer a data breach, they’ll help you manage that too.
Without a European representative for GDPR, not only does your organisation miss out on all the above, it also immediately fails the EU’s compliance test, which exposes it to (very) substantial fines which can amount to millions of euros or a percentage of your annual global turnover, depending on the severity of the violation. Non-compliance won’t do your business’ reputation or customer trust any favours either.
To ensure your UK business is compliant with GDPR Article 27, consider the following steps:
1. Does your business fall under the scope of the GDPR?
The key questions here are:
If you can answer yes to all the above – or if you monitor the behaviour of data subjects within the EU – GDPR compliance, including Article 27, is mandatory.
2. Appoint an EU representative
To be considered a suitable representative, your EU GDPR consultant must be established in an EU member state in which you process data. Naturally, you’ll want them to be experts in GDPR compliance, but you’ll also want them to be the sort of person you can build a relationship with – someone you can rely on.
Start your search for expert GDPR reps here!
3. Inform your EU representative
Give your European representative for GDPR all the information they need regarding your data processing activities. They’ll then be able to assess your current state of compliance and help you fill any gaps.
4. Keep records
Document your data processing activities, including purposes, categories of data, data subject rights, and data transfers. Ensure that, should supervisory authorities request them, they’re easily available. Your GDPR rep will be able to help you with this.
5. Regularly review and update compliance measures
Perhaps one of the most important elements in staying compliant with GDPR is understanding that the GDPR isn’t static. Nor is UK data protection law. We can expect both to keep evolving and, over time, that’s likely to lead to greater divergence between the two.
Increasingly, complying with UK data law will be no guarantee that your business is compliant with EU data law. It’s vital, therefore, to work with your GDPR representative to keep track of changes in data processing activities, to review your compliance measures, and to update them accordingly.
No matter what else you do and no matter how in depth your data protection measures are, if you fall under the scope of the EU GDPR at 1 above and haven’t yet appointed a GDPR EU representative, you’re not compliant.
You can put that right, right now.
Find the right EU GDPR consultant for you now, get data protection advice or, for questions about your next steps, give us a call on +44 1772 217800.