The General Data Protection Regulation came into effect on May 25. In an effort to comply, companies of all sizes have been taking steps to meet requirements. Mapping data, appointing staff to lead data protection work in the organization, reviewing and updating security, developing data governance programs – businesses are investing time and resources to understand and meet GDPR expectations.

What is often lost in this flurry of activity is an understanding of GDPR’s Article 27 – a provision that requires that companies that are not established in the EU, but that collect and process personal data about residents of the EU, appoint an EU-based representative. The EU rep is intended to serve as a point of contact in Europe for individuals who have questions or concerns about the processing and protection of their data. Individuals can also come to the EU representative to request access to their data. For data protection authorities, the EU rep is the go-to person in case of an inquiry or an investigation.

By including this article in the GDPR, policymakers sought to ensure that EU citizens could pursue their rights in data, even with the data controller or processor is located outside of Europe. Article 27 ensures that individuals won’t be required to effectively “chase their data” – to be required to resolve complaints or view their data in far flung places, pursue their inquiry in an unfamiliar language, or navigate a foreign bureaucracy. Without Article 27, individuals whose data is held by controllers and processors outside of Europe would face challenges of cost, physical distance, and time zone differences in attempting to exercise the rights the GDPR is designed to protect. At the same time, the Europe based representative serves as the first contact should a regulator call with an inquiry or to initiate an investigation.

But even beyond the legal requirement, compliance with Article 27 offers an opportunity for companies to safeguard their relationships with customers and regulators. Responding to customer inquiries and complaints in a constructive, respectful, professional way enhances a company’s brand and reputation – not only for good privacy practices, but for good customer service. A regulator’s interaction with the EU rep may be the first contact they have with a company. The rep’s professionalism and knowledgeable approach to the regulator’s initial questions can set the tone for any inquiry going forward.

The GDPR requirement for a representative in Europe is real, and companies will need to provide the rep’s contact information in the privacy statement. Obviously, an EU rep needs to meet any bureaucratic requirements – it must have on hand the documentation specified in Article 27 – so that it can respond quickly to any inquiry. Making sure the rep can offer a positive, professional face for your organization is just as important.

As companies do the important work to comply with the GDPR, they should remember that their investment in good representation in Europe is a critical piece of the compliance puzzle and one that can pay important dividends in the future.

 

Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact info@achievedcompliance.com.