The magnitude of impact that the General Data Protection Regulation (GDPR) has had means businesses and companies and organisations have had to rethink the way they work. This has included making space for new roles to help them in handling data to comply with the new rules.
While there is some overlap, the roles of the Data Protection Officer (DPO) and GDPR representative are distinct. In most cases, both are necessary to facilitate the lawful and proper collection, processing, and handling of individuals’ data. These two roles have become the focal point for organisations especially since the UK exited the European Union. Organisations have had to adjust because business between the UK and the EU remains strong but the exit has to lead to some necessary changes to remain compliant with the GDPR.
It’s important to note, then, that both roles have the potential for application when an organisation regularly processes data both within the EU and in the UK.
What is a Data Protection Officer (DPO)?
DPOs are independent data protection experts with many responsibilities around lawful and responsible data handling within organisations. Some of their roles include:
- Monitoring an organisation’s compliance with data protection regulations.
- Informing organisations of their data handling obligations.
- Giving sound advice on DPIAs (data protection impact assessments) and monitoring their performance.
- Acting as a contact point for data subjects. This includes the relevant supervisory authority such as the ICO (Information Commissioner’s Office) in the UK.
According to GDPR, there are many organisations that must appoint a DPO to ensure compliance. If your core activities include processing large amounts of sensitive data or involves large-scale regular and systematic monitoring, then you need a DPO. These experts will assist you in monitoring internal compliance. They’ll also ensure your organisation processes the personal information of its staff, customers and any other individuals (known as data subjects) in compliance with GDPR data protection rules.
DPOs can also provide advice and training to those within an organisation. Their expertise and knowledge are useful for employees and HR departments and even managers in the ever-evolving world of data processing and data protection. Furthermore, they act as a link between the organisation and the public in regard to the processing of personal information.
And DPOs can work internally or externally. One of the benefits of them working internally is that they can act as a source of constant guidance and advice on data protection regulations. But many organisations find outsourced DPOs hired externally to be in their best interests. This is in part due to how keeping them external means the normal daily flow of work is not impacted and there’s no conflict of interest.
What is a GDPR representative?
GDPR representatives do exactly what it sounds like they do—they represent an organisation. More specifically, GDPR representatives are necessary for businesses that don’t have a branch, office or other establishments in any other EU or EEA state yet offer goods or services to individuals in the EEA or monitor the behaviour of individuals in the EEA. In simple terms, to continue to work and collect sensitive data from EU data subjects, you need a GDPR representative to continue data processing.
The EU GDPR requires organisations to appoint a GDPR representative inside the EEA. Furthermore, they must be set up in an EU or EEA state where some of the individuals whose personal data you process is located. Interestingly, GDPR representatives can be either an individual, a company or an organisation—so long as they’re willing to represent you in regard to your data processing obligations under the EU GDPR. And you need to authorise them to be your representative. This is done in writing. It’s to state that they act on your behalf in regard to your EU GDPR compliance and that they’ll deal with any supervisory authorities or data subjects in this respect.
It’s also necessary that organisations give details of their GDPR representative to EEA-based individuals whose personal data they process. This can easily be done by including them in your privacy notice or with upfront information you give them when you collect their data. This must be easy to access by supervisory authorities. A good way to do this is by publishing it on your website. Your appointment of your representative must be in writing and be set out in the terms of your relationship with them. Moreover, it’s important to note that having a GDPR representative does not affect your responsibility or liability under the EU GDPR.
While it can be easy to confuse them, there’s a big difference in responsibilities between DPOs and GDPR representative. In general, DPOs are necessary for businesses, companies, and organisations who deal with large amounts of individuals’ data processing. And depending on your organisation and how you conduct business and where a GDPR representative may or may not be necessary.