Yes, Officer, I have a Data Protection Representative!
Here at DPR Group, we’ve found one key factor is affecting our clients’ thinking when it comes to appointing a Data Protection Representative: the lack of advice in the public arena about the difference between the Representative and the Data Protection Officer, a separate role under GDPR.
How did this confusion arise? Quite simply, there is a huge amount of material coming out of the EU about the DPO role, who needs to appoint one and what their role will involve, but there is very little being shared about the role of the Data Protection Representative. The reason? No companies in the EU are required to appoint a Data Protection Representative, so none of the EU-focused literature mentions this obligation!
To explain each of them:
Data Protection Officer (DPO) – as a result of Article 37 of GDPR, a company which is impacted by GDPR (including most companies which hold any data identifying EU citizens) must appoint a DPO where they carry out large scale processing of sensitive personal data, large scale monitoring of individuals, or are a public authority. This applies to companies inside and outside the EU.
Data Protection Representative – as a result of Article 27 of GDPR, a company which is not established in the EU (i.e. they are based outside Europe with no local presence there), but which controls or processes the personal data of persons within the EU, must appoint a Data Protection Representative in the EU.
Essentially, each obligation is separate and different – the DPO requirement is triggered by the types of data which a company processes and the extent to which they process that data; the Representative obligation is triggered simply by being outside the EU and holding the details of customers, prospects, members etc who are based in the EU.
DPR Group has been established to meet this crucial obligation under GDPR, established in all 28 member states to represent our clients’ data protection interests in the European Union. We also work to spread awareness of the Article 27 obligation to have a Data Protection Representative, in an effort to make sure the companies outside the EU who face this ‘hidden obligation’ are prepared to meet it.
Is your company ready for GDPR? If you have no base in the Europe, have you appointed a Data Protection Representative in the EU? Contact DPR Group at email@example.com for more information, or visit our website at www.dpr.eu.com.
Photo by Lukas from Pexels