Mastering GDPR Article 27: A Guide for UK Business

If your business trades with EU customers, the chances are that you need to comply with GDPR Article 27. But why is that? And what does ‘compliance’ involve?

You probably don’t spend a great deal of time (if any) learning UK law section by section, so it’s perhaps even less likely that you’re going to have committed EU law to memory. But if your business collects, stores or processes the data of EU citizens, there’s one article of one regulation that you probably should know at least the basics of: Article 27 of the General Data Protection Regulation (GDPR).

In this post, we explore this crucial aspect of data protection compliance in detail and ask what it means for your business.

Understanding GDPR Article 27

There are 99 articles of the EU GDPR. We don’t expect you to know them all. In truth, few UK businesses know any because, post-Brexit, the UK has its own data privacy provisions so the EU version no longer applies… except for one part.

Article 27 of the GDPR was introduced to ensure that the personal data rights and freedoms of EU individuals were protected even when that data was processed or stored outside the EU.

It means that every organisation everywhere that processes EU citizens’ data is bound by Article 27.

Appointing an EU Representative for GDPR Article 27

This is how non-EU businesses meet their Article 27 responsibilities. Any organisation which is not a public body and whose processing of EU data is not merely “occasional” must designate an EU GDPR representative. The representative acts as a point of contact for supervisory authorities and individuals within the EU regarding data protection matters. In practice, they should also act as a UK business’ guide to EU data compliance, supporting the business in adapting to changing legislation so it remains compliant.

Contact details: The EU representative’s contact details, including their name, address, and means of communication, must be provided to the relevant EU supervisory authorities.

Mandate and responsibilities: The GDPR EU representative must be given a mandate by the non-EU business to act on its behalf concerning GDPR compliance matters. Responsibilities include maintaining records of processing activities, cooperating with supervisory authorities, and acting as a contact point for individuals in the EU.

Limits of the GDPR rep: Engaging an EU GDPR consultant doesn’t absolve a UK business from its obligations under GDPR. The representative is there to act as a bridge between the EU and the business, and to help smooth its road to compliance. If the business doesn’t meet its Article 27 responsibilities, the EU supervisory authorities retain the power to take enforcement actions against both the non-EU business and its EU representative.

6 Steps for UK businesses to comply with GDPR Article 27

• Determine applicability

Does GDPR Article 27 apply to you? If you offer goods or services to individuals in the EU (that is, people of any nationality who are resident in the EU, rather than EU nationals resident anywhere), or monitor their behaviour, you may fall within the scope of Article 27.

• Appoint an EU Representative for GDPR

If Article 27 applies, appoint an EU GDPR representative. This representative should be located in one of the EU member states where individuals whose data is being processed reside. Where you process the data of Dutch, German and Italian residents, for example, an EU GDPR consultant in any one of those countries would suffice.

• Give a clear mandate

You’ll need to give your EU representative for GDPR Article 27 a clear mandate to act on your behalf, outlining their responsibilities and tasks regarding compliance.

• Maintain records

The GDPR rep should maintain accurate records of the processing activities carried out by your business on behalf of individuals in the EU.

• Cooperate with supervisory authorities

The EU’s supervisory authorities effectively have two roles: to address complaints from data subjects and to audit companies on their GDPR compliance.

Your GDPR EU representative should establish and maintain effective channels of communication with the relevant supervisory authorities in the EU. If there’s ever an issue, they will be the first point of contact for the authorities and will help you fulfil your GDPR obligations.

• Review and update

Because we can expect the GDPR to adapt and evolve over the next few years, UK businesses should not treat compliance as a ‘one hit and done’ issue. Your GDPR rep has a role in ensuring you remain compliant, supporting you with the implementation of changes.

It’s also important to review the performance of your Article 27 representative to ensure they remain effective.

Getting to grips with Article 27

There’s a temptation for some to feel that compliance with GDPR Article 27 is a box-ticking exercise – that it ensures you meet the terms of the article but little more. The truth is very different.

By appointing your EU representative for GDPR Article 27, you help protect your organisation from potentially eye-watering penalties. You create a business that is better at managing and securing data, reducing the risk of breaches. You demonstrate to customers everywhere your commitment to treating their data responsibly. And, with the EU GDPR among the world’s most robust data protection regulations (along with the UK’s), you put your business on the front foot of data privacy, which should make implementing future international standards much easier. 

Appoint your GDPR EU representative

Data protection is an ongoing process. Staying up to date with GDPR regulation is essential. Your Article 27 rep should be your trusted source of  legal advice and timely information.

Find the right EU GDPR consultant for you now, get data protection advice or, for questions about your next steps, call +441772 217800.