Since the United Kingdom’s departure from the EU, ADVISORI has received multiple inquiries from UK based organizations regarding Brexit’s impact on the application of Article 27 of the General Data Protection Regulation. We offer this guidance to assist those organizations with Article 27 compliance.
Setting aside Brexit, we have found that Article 27 is often overlooked or misunderstood due to Article 37’s data protection officer requirement. While complimentary, the roles and responsibilities identified in these two articles are quite different. For instance, a data protection officer must operate within the highest levels of the company to educate the organization on data privacy and protection regulations; identify existing privacy risks; develop, implement, and maintain affective risk mitigation strategies, achieve overall compliance with data privacy requirements, and work with both data subjects and data protection authorities to ensure that private and sensitive data is properly collected, processed, and destroyed when necessary.
In contrast, the Article 27 data protection representative serves primarily as the front-line contact for the organization and “…should perform its task according to the mandate received from the controller or processor, including cooperation with the competent supervisory authorities with regard to any action taken to ensure compliance with [the GDPR].” (See Recital 80 of the GDPR).
In sum, the DPO should be proactive in organizational data protection activities while the representative is more reactive to data subject and data protection authority inquiries and requests.
Article 27 requires organizations based outside the European Economic Area (EEA) processing personally identifiable information belonging to EEA residents on a “large scale” or those processing “special categories of data” or both, to appoint a data protection representative as described above.
Prior to Brexit, these organizations could appoint a single representative as the UK was a member of the EEA. Post-Brexit, organizations based outside either the UK or the EU may have an obligation to have multiple representatives. For instance, if a non-UK/EEA organization collects or processes data belonging to UK residents, it will be required to have a UK representative. If this same organization also collects or processes data belonging to a resident of the new EEA alignment, it may also be required to appoint additional representatives in one or more of the EEA member-states.
Adding to the complexity, the Irish Data Protection Commission (DPC) has suggested that using a single person serving as both data protection officer and data protection representative could give rise to a conflict of interest. Best practices dictate that the roles should be separated.
Despite the complications identified above, any organization dealing with either UK or EU data must act. As of the date of this publication, May 12, 2021, the Dutch DPA imposed a €525,000 fine on an organization operating in the EU for failure to appoint a data protection representative.
For assistance with determining your organizational needs relating to Article 27, please contact us at [email protected].