The General Data Protection Regulation (GDPR) applies directly to companies and organisations located in the European Union (EU) and around the world. The law has a deliberately wide scope, based on how personal data about individuals in the EU are collected, used, monitored and stored. Companies and organisations that do not have an established presence in the EU must appoint a Data Protection Representative (Representative) based in the EU in line with Article 27 of the GDPR. This rule is not new, it has been an EU requirement, in a more limited form, since 1995. The Representative allows individuals in the EU to directly enforce their data protection rights and gives EU GDPR regulators a reliable point of contact within their countries.
The Representative is a strategic role, helping foreign companies and organisations to actively monitor GDPR regulators’ priorities, enforcement and key guidance. It is also practical, allowing individuals, users and consumers in the EU to have an access point in the EU. The Representative is more likely to communicate with them in local languages and appreciate local risks, norms and expectations. The Representative is also legally required to understand data flows that affect individuals based in the EU by being involved with GDPR Records of Processing Activities (ROPAs).
1. What types of companies or organisations need European Data Protection Representatives?
Companies and organisations that have no established presence in the EU but process the personal data of individuals in the EU and carry out activities that are covered by the GDPR. This applies whether the personal data processing takes places inside or outside of the EU. The company or organisation can be a Controller or Processor as defined by the GDPR. However, non-EU based public bodies, government organisations, diplomatic missions and consular posts do not have to appoint European Data Protection Representatives.
2. When does a company or organisation need to appoint a European Data Protection Representative?
Companies and organisations should review their data flows, personal data inventories and GDPR ROPAs on a continuous basis to check if their activities are covered by the GDPR. Where companies and organisations offer goods or services to individuals in the EU, even free services, or monitor the behaviour of individuals based in the EU, the need for a European Data Protection Representatives must be considered. That a non-EU website, email address and other contact details are accessible within the the EU, does not, by itself, mean a Representative is required. Companies and organisations should consider whether they use EU languages in their trading or work, use EU currencies, deploy marketing targeted at EU users and consumers or provide users with direct facilities to order and receive goods and services. The use of geographic targeting technologies, cookies, profiling EU users and other monitoring and surveillance could indicate the need for a Representative. Foreign companies and organisations that employ staff, contractors, distributors and agents in the EU are also likely to need to consider appointing a European Data Protection Representative.
The requirement does not apply if the processing of personal data about those in the EU is occasional, small scale or there is no large-scale processing of special categories of personal data or criminal records data that negatively impact the rights and freedoms of individuals.
3. What are the legal duties and key requirements of European Data Protection Representatives?
EU GDPR Representatives:
(a) Must maintain ROPAs of the Controller’s or Processor’s personal data flows.
(b) Cooperate with EU GDPR regulators (Supervisory Authorities).
(c) Be situated in an EU country where individuals who are offered goods, offered services or have their behaviour monitored, are based.
(d) Be appointed by the foreign-based Controller or Processor and can be contacted by EU GDPR regulators and individuals in the EU, in addition to, or instead of, the Controller or Processor.
(e) Act as the Controller’s or Processor’s Representative, but the Controller and Processor remain responsible, liable and directly subject to legal and regulatory action in the EU.
(f) Carry out the Data Protection Representative Service as specifically agreed with the Controller or Processor.
(g) Are subject to enforcement proceedings for non-compliance by the Controller or Processor.
(h) Are designated and appointed in writing by the Controller or Processor.
4. What are the differences between GDPR-appointed Data Protection Officers and GDPR European Data Protection Representatives? Can the roles be carried out by the same person or organisation?
The Data Protection Officer is largely an internal appointment who must act independently and report to the highest level of management in a company or organisation. The Data Protection Officer should not perform an operational role in charge of data processing in the organisation, at the same time. The Data Protection Representative is largely outward facing, positioned to liaise with individuals whose personal data are being processed and with EU GDPR regulators. The Representative is not restricted from taking part in the operational aspects of the Controller’s or Processor’s data processing activities.
The Representative must act within the terms of the appointment and the mandate of the Controller or Processor, as a type of agent. The Representative is not legally required to be independent but must represent and stand in the place of the Controller or Processor within the EU. If a single entity or person attempted to act as both a GDPR Data Protection Officer and a European Data Protection Representative at the same time, there is likely to be a conflict of interest and practical limitations. However, both roles share the need for ROPA expertise and the ability to work effectively with individuals and EU GDPR regulators.
5. The United Kingdom (UK) has left the EU, should UK Data Protection Representatives be appointed to comply with UK data protection law? Do companies and organisations based in countries that have a data protection adequacy agreement with the EU need to appoint European Data Protection Representatives?
The UK’s exit from the EU means that it is no longer an EU Member State. The UK Information Commissioner’s Office (ICO), the data protection and GDPR regulator, is no longer a GDPR Supervisory Authority or member of the European Data Protection Board (EDPB). The UK has carried forward the GDPR, and so where a company or organisation needs to appoint a European Data Protection representative, if the same or similar data processing activities take place in the UK, a UK Data Protection Representative should be appointed. This requirement will continue even when the UK gains a data protection adequacy agreement from the EU. At present, all companies and organisations in the European Economic Area (EEA) and those based in countries that have an EU data protection adequacy agreement still need to appoint Data Protection Representatives in the EU, if they process personal data, have no established presence within the EU but offer goods, offer services (even for free), or monitor individuals’ behaviour in the EU. This is true, even where this data processing activity never takes place on equipment that operates within the EU (or the UK).
To access our European Data Protection (GDPR) Representative services, UK Data Protection Representative services, Data Protection Officer services or Brexit data services, contact PrivacySolved:
London +44 207 175 9771
Dublin +353 1 960 9370
On 24 December 2020, the European Union (EU) and the United Kingdom (UK) signed the EU-UK Trade and Cooperation Agreement (the “Trade Deal”) to provide an ordered and more certain outcome for the end of the transition period on 31 December 2020. A process of ratifications will take place in January 2021. A no-deal Brexit has been avoided, but this Trade Deal has been described as “thin.” The Trade Deal includes a zero-tariff regime for many goods. The UK economy is approximately 20% in goods, leaving the majority 80% of services sectors with operational uncertainties. The EU’s combined economy is 25% goods and 75% services. From a data protection, General Data Protection Regulation (GDPR) and information security perspective, the Trade Deal provides some clarifications. However, there are still uncertainties to be worked out in the coming months and years.
UK Data Protection Adequacy
The UK will not receive a data protection adequacy decision from the EU before 31 December 2020. As a result, the Trade Deal has extended the data protection status quo that operated during the Brexit transition period, for a further 6 months to June 2021. UK data protection adequacy is not guaranteed in June 2021 and adequacy could be withheld by the EU, but the language of the Trade Deal appears optimistic. An adequacy decision will allow personal data to flow freely from the UK to the EU/European Economic Area (EEA) and from the EU/EEA to the UK, without the need to use the international data transfer mechanisms in the GDPR designed for non-EU third countries. The Trade Deal states that the UK will not be considered a third country for EU/EEA to UK data transfers, for the purposes of EU GDPR, during the agreed extension period. Companies and organisations have a grace period, but still need to plan for the future based on an adequacy decision and also non-adequate third country status.
The need for new EU and UK Data Protection Representatives
Whatever the outcome of UK data protection adequacy decision and its timing, the UK remains outside the EU. This has been a legal reality since 31 January 2020. Companies and organisations (though, not public bodies) without a presence in the EU, offering goods, services or monitoring EU citizens in the EU, will need to appoint an EU Data Protection Representative, in one of the EU’s member states, as soon as possible. This is a legal requirement under Article 27 of GDPR. The EU-UK Withdrawal Agreement and related changes to UK data protection laws require UK Data Protection Representatives for organisations based outside the UK, without a presence in the UK, who offer goods, services or monitor UK citizens in the UK. Companies and organisations, in the UK, EU, EEA and around the world should conduct gap analysis and determine whether these services are legally required.
The UK Information Commissioner’s Office (ICO) reduced role
The ICO is one of the largest and most active data protection and GDPR regulators. Its English language output has a substantial impact on large parts of the world and on international organisations. Brexit means that it is no longer an EU Supervisory Authority under GDPR and so companies and organisations should repatriate key EU GDPR roles to other Supervisory Authorities based within the EU. Ireland’s Data Protection Commission is a near-neighbour substitute. These EU GDPR roles include registering Data Protection Officers, registering Binding Corporate Rules (BCRs), making referrals to the Court of Justice of the European Union (CJEU) and participating in the work of the European Data Protection Board (EDPB) and European Commission. The ICO’s future output will bind UK companies and organisations and foreign companies doing business in the UK. The extent to which most EU, EEA and international companies, who have an EU lead GDPR Supervisory Authority, will be bound by its guidance, codes of practice, decisions and enforcement is uncertain. It is also unclear how closely the ICO will consider or follow the opinions, recommendations and decisions of the EDPB, CJEU and the European Commission. The ICO will have very little direct legal obligation to do so, going forward. The ICO’s role in the maturing and development of the EU’s GDPR will reduce over time.
The Trade Deal: Clear for Goods, More uncertain for Services
The service sectors in the UK and EU generate, use and share a lot of personal data and special categories of personal data. The Trade Deal is focused primarily on goods, security cooperation, trade dispute resolution mechanisms and other discreet areas of trade and cooperation. Data flows in many services sectors such as financial services, information technology, business services, professional services, ecommerce/online retail, leisure, tourism, travel, sports, the arts, entertainment and personal services are affected by Brexit. Established data flows will be changed by new trading restrictions, new processes and limits on data sharing. New data flows will be created that companies and organisations must map, risk assess, manage and add information security protections. Businesses and organisations in the UK may increasingly turn to non-EU partners, suppliers and customers as UK government policy promotes global trade and new international trading corridors. This will create both challenges and opportunities and require better management of international data transfers, supply chain risks, information security resilience, human rights compliance risks and geopolitical risks.
Complexities in Information Security and Cybersecurity
As the UK is no longer a member of key EU institutions, the immediate future will be uncertain as security, information security and cybersecurity relations are re-established or reconstituted. The UK will lose direct member access to the European Union Agency for Cybersecurity (ENISA), Europol and Eurojust. Cooperation on cross-European cybersecurity threats, risks and responses will be negatively affected in the short to medium term. Companies and organisations should monitor these relationships and bolster their individual cyber defence capabilities. Businesses operating in or enabling critical national infrastructure or regulated sectors such as financial services, healthcare, pharmaceuticals and high value engineering, will need to adopt more substantial measures. Will there be future conflicts over whether UK or EU/EEA cybersecurity standards will apply between UK and EU/EEA partners? In the longer term, will international businesses choose to mandate EU/EEA information security standards over UK standards, or adhere to both at additional costs? Companies and organisations will need to strategize about appropriate solutions and sector norms.
Other Immediate and Future Impacts: Work, Travel, Employee Data, Procurement, Immigration, Professional Qualifications and related areas
Personal data requirements, collection, storage and sharing are affected in many common areas, impacting many companies, organisations, supply chains and staff mobility. Human Resources departments, already facing data protection and cybersecurity challenges from the coronavirus pandemic, will faces new, fast changing and unresolved data flows of employee data, including proof and authorisation of professional qualifications. Work permits, visa applications and new immigration rules will diversity data sets and introduce high risk data processing. Other departments and functions like sales, marketing, finance, compliance, legal, audit, information security and procurement will face immediate and longer term data and cybersecurity challenges. Companies and organisations will be in a constant process to realign, overcome uncertainties and fill gaps. The future will require embracing new ways of working together, doing business and sharing data and information between the UK, EU, EEA and globally.
For assistance with Brexit, GDPR and EU data flows, contact PrivacySolved:
London +44 207 175 9771
Dublin +353 1 960 9370
Over time, the personal data impacts of the United Kingdom (UK) leaving the European Union (EU) will be revealed. The scope of any free trade deal that addresses data protection will set the scene for immediate and long-term personal data flows. In the short to medium term, any adequacy decision will minimise costs and disruption to companies and organisations. The impact of the Court of Justice of the European Union’s Schrems II decision on Privacy Shield, as it applies to the UK, will also become clearer as decisions are made. The future will include new European Commission data protection Standard Contractual Clauses (SCCs) for personal data transfers to non-EU countries. It is likely that the UK Information Commissioner’s Office (ICO) could seek to adopt its own international personal data transfer mechanisms and arrangements over time. It is important for companies and organisations to be strategic, measured and deliberate in choosing the way forward.
Strengthen long-term Data Protection Strategy
Companies and organisations should be very clear about their ongoing data protection strategy. For UK companies with limited EU / European Economic Area (EEA) and foreign operations, they must decide their level of proximity to the EU’s General Data Protection Regulation (GDPR) or adopt a more flexible ad hoc approach to anticipate changes to UK data protection laws. For EU and EEA companies and organisations that do business or offer services to UK customers, they must decide and confirm which data protection standard will be their baseline. They must decide the level of deviation that they will permit while accommodating emerging UK data protection norms while staying true to EU GDPR. International companies and organisations must decide on the level of exceptionalism that their data governance programmes will allow for the UK. They should decide whether the UK will be treated as a default EU member state for GDPR purposes and be held to evolving EU data protection standards, despite changes to their domestic or the UK data protection regimes.
Engage with key suppliers and high risk high value contracts
It is important that companies and organisations create and maintain clear channels of communication with their extended supply chains to coordinate their future approaches to data protection. Contracts should be reviewed to ensure that terms which directly or indirectly rely on the UK’s membership of the EU should be reviewed and updated. Key definitions for “applicable data protection law” and many other EU / EEA-centric information should be reviewed to reflect the new realities. Standard Contractual Clauses (SCCs) should be considered for large scale and high risk EU / EEA to UK data transfers.
Monitor as the UK becomes an international data adequacy deal maker
The European Union fiercely protects its allocation of data protection adequacy decisions to countries outside the European Union. The UK is fast becoming a broker in the expansion and allocation of data protection adequacy, beyond the EU’s direct remit. Most of the countries included on the EU’s data protection adequacy list have declared that the UK has data protection adequacy. This includes the larger economies like Switzerland, Argentina, Israel and Canada. Japan and the UK have agreed mutual data protection adequacy, which is linked to a new free trade deal. In time, it is likely that the UK and the USA will come to an arrangement on broad data protection adequacy or create a mutual Privacy Shield-type arrangement to accommodate their future economic relationship. Companies and organisations should watch these developments, constantly assess personal data risks, analyse the longer term effects of the Schrems II decision and evaluate the proximity of new adequacy arrangements to EU GDPR.
Get value from EU Data Protection Representatives
Companies and organisations should use the end of the UK ICO’s role as an EU Supervisory Authority under GDPR as an opportunity for strategic thinking about their EU / EEA GDPR exposure. Data Protection Representatives should be appointed within the EU not just to comply with Article 27 of the GDPR, but to stay connected to EU / EEA customers and users, monitor the work and priorities of other EU based Supervisory Authorities and monitor key policy changes taking place in Brussels. EU Representatives should represent non-EU based (and UK) companies and organisations from within the EU, but also feedback to UK and international companies useful insights, trends, strategic positioning and information about enforcement priorities.
Interact with and educate Users and Consumers
Companies and organisations should take the opportunity to update the places where they meet their users, transact with customers and provide information to them. This includes data protection policies and procedures, data protection notices, information security protocols, websites, publications, social media and staff training initiatives. GDPR Records of Processing Activities (ROPAs) should be updated to maintain transparency and accountability. Supply chains, consumers and users should not be surprised on 1 January 2021 with the sudden impacts of the end of the Brexit transition period, but should steadily receive information and guidance so that practical and strategic choices can be made by all parties.
The coronavirus pandemic has created an explosion in information security awareness and a sense of hyper vigilance. Cybersecurity attacks have increased, especially malware, phishing, vishing and ransomware. As cyber awareness increases, boards, leadership teams and individuals need access to the most reliable sources of information and advice. Excellence, expertise and the ability to communicate security threats, risks, priorities, trends and effective responses are crucial. These trusted insights are vital for companies and organisations.
Leading Data Security Sources: Centres of Excellence
The organisations below have consistently helped companies, organisations and individuals to identify threats, improve controls, increase training and reduce the risk of cybersecurity breaches and loss of reputation. Covid-19 has reinforced their importance. They understand the national and international security landscape. Their experience spans many sectors. Several of the organisations play a key role in national cybersecurity strategies and so are trusted by governments and the public services. The organisations raise awareness, issue threat alerts, produce guidance, publish analysis, create training materials, lead certification activities, respond to data breaches, secure critical national infrastructure and work with companies and organisations to improve their cyber resilience.
The NCSC was created in 2016 and spun out of the UK’s GCHQ. It combines the CESG (GCHQ’s information security arm), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related work of the Centre for the Protection of National Infrastructure (CPNI). It has responsibilities across government, for critical national infrastructure protection and the national cyber security strategy. Its guidance, standards-setting, alerts, website, social media, work with all sectors make it a leader in information security.
NIST is non-regulatory agency of the United States Department of Commerce with a central role of promoting innovation and industrial competitiveness. Its main laboratory programmes include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement. For cybersecurity and data privacy, its standards and frameworks are very popular and underpin the information systems of organisations around the world. This work is supported by the Computer Security Resource Center (CSRC). Its guidance, standards, measurements, publications, website and social media output are authoritative.
ENISA is an agency of the European Union, created in 2005 and located in Athens and Heraklion in Greece. The agency works with EU Members States to advise, offer solutions and improve cybersecurity capabilities. It builds capacity to respond to large cross-border cybersecurity incidents or crises. It has developed cybersecurity certification schemes since 2015. ENISA acts as a key centre of expertise for member states, EU institutions and private organisations on network and information security. Its guidance, CERT co-ordination, standards, certification schemes, publications, website and social media output are highly influential.
US-CERT analyses and reduces cyber threats, vulnerabilities, disseminates cyber threat warnings and coordinates incident response activities. It uses advanced network and digital media analysis to identify malicious activity targeting networks in the United States and abroad. US-CERT is part of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Its work includes threat analysis and information sharing, digital analytics, operations, communications and international work. Its publications, advisories, alerts, analysis, advice, website and social media output are respected. Its unique selling point is to analyse and disseminate information about the most persistent international cybersecurity threats.
Created in 2002, the FBI’s Cyber Division leads US national effort to investigate and prosecute internet crimes, cyber based terrorism, espionage, computer intrusions and major cyber fraud. It proactively informs the public about current trends in cybercrime. Its three key priorities are computer intrusion, identity theft and cyber fraud. It works with other agencies and takes part in cross-border initiatives.
Other Influential Data Security Organisations, include: