Get an Article 27 Rep
GDPR's Article 27 requires organizations that aren't located inside the European Union to appoint someone as their local contact for individuals and local data privacy entities. This is a different function than a "data protection officer," an in-house role not delegated to a third party or consultancy.
The IAPP notes that few companies have emerged to take on the role of Article 27 reps, since the authority also comes with more liability than they want. General enforcement actions – and fines – in the first year of GDPR may confirm these third parties' worst suspicions.
Rightly or wrongly, not having an Article 27 rep may also draw unwanted enforcement action.
"Put simply, if a company does not have a base in the EU and does not have details of their representative in their customer-facing privacy notice, it is immediately apparent that it's failed to meet the Article 27 duty," wrote Tim Bell, managing director of DPR Group, on the IAPP website. "For the EU data protection authorities, spotting this failure is likely a red flag of potential noncompliance elsewhere."
And it's why the Article 27 rep requirement is sometimes referred to as the hidden obligation of GDPR.
(Image: Photographee.eu/Adobe Stock)