There are several significant differences between a GDPR representative and a Data Protection Officer (DPO). For example, only organisations based outside of the EU but that collect or process the personal data of EU citizens are required to hire a local GDPR representative based within the EU. In contrast, organisations that are based in an EU Member State that collects or processes the data of EU citizens are required to hire DPOs.
For example, if a US based company sells products to residents based in Ireland, but does not operate through an Irish branch or subsidiary, they are required to hire a local GDPR representative. In contrast, if a France-based organisation were to do the same thing, they would only need to hire a DPO.
The Role of Data Protection Officer
Data controllers and processors based within the EU must appoint a DPO to assist in monitoring their internal compliance with GDPR. The DPO is usually appointed from the organisation ’s staff and must have expert knowledge of data protection laws and practices. If an appropriate individual is not found within the organisation, they may hire a third-party contractor to act as a DPO. However, the DPO may not hold a conflict of interest and must be impartial in carrying out their role.
All large businesses which are covered by GDPR must appoint a DPO. However, if a small business is processing sensitive information, as described in Article 9 of the GDPR, it may be a requirement for them to appoint a DPO too.
The responsibilities of a DPO include:
- the education of staff on subject data rights and their responsibilities under GDPR
- advising to senior management regarding GDPR compliant business practices
- monitoring activities across the organisation to ensure they are GDPR compliant
- cooperation with the Lead Supervisory Authority
- assessing IT systems, computer networks and data protection safeguards to ensure they are of the required standard
- notifying data subjects in the event of a data breachThe Role of a GDPR Representative
The primary role of an EU Representative is to act as the mediator between the data controller and EU authorities Data Protection Authorities and data subjects. They do not have the same amount.
The primary tasks of an EU representative are:
- responding to any inquiries Eu authorities or data subjects may have concerning data processing
- receiving legal documents for the company as an authorised agent maintaining records of processing activities
- giving data processing records to authorities upon request
It should be noted that GDPR representatives are subject to enforcement proceedings if the organisation is found to be non-compliant with GDPR.
According to GDPR’s Article 27, “The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.”