For businesses that collect, process, or store data relating to EU data subjects, it is important to understand the difference between a GDPR representative and a DPO (Data Protection Officer). The failure to appoint the right person in the right role can lead to penalties for non-compliance with GDPR.
In theory, the difference between a GDPR representative and a DPO is quite straightforward. If a business has a physical operating presence within the EU and it processes “large volumes” of data or “sensitive data” relating to EU data subjects, it is required under Article 37 of the General Data Protection Regulation to appoint a Data Protection Officer (DPO).
GDPR does not define what constitutes “large volumes” of data, but several national data protection authorities have issued guidance or examples of what they consider to be “large volumes” depending on the nature of the data and the length of time it will be collected, processed, or stored. As a best practice, all businesses should voluntarily appoint a DPO.
If a business does not have a physical operating presence within the EU – but processes data relating to EU data subjects – it may be necessary to appoint a GDPR representative under Article 27 of GDPR. However, there are numerous exceptions to this requirement – again depending on the nature of the data and the purpose of its processing.
The Role of a GDPR Representative
The most important thing to note about the role of a GDPR representative is that he or she is not responsible for GDPR compliance. GDPR compliance always remains the role of a DPO or – if one is not appointed – the business controlling and/or processing data. Beyond that distinction, there are several similarities between the role of a DPO and the role of a GDPR representative.
The responsibilities of a GDPR representative include:
- Acting as an intermediary between the business and national data protection authorities.
- Being an authorized agent to receive legal documents on behalf of the business as they relate to EU data privacy and security notices.
- Maintaining records of data processing activities and making the records available national data protection authorities when requested.
A GDPR representative can be any individual or a company within the EU – indeed, some companies offer professional GDPR representative services. The individual or company doesn´t need to have any special qualifications, although it is recommended they have a thorough understanding of GDPR to prevent non-compliance going undetected.
Finally, the GDPR representative should be located in the EU member state in which the business´s data originates. I.e. if the business processing data from German citizens, the GDPR representative has to be located in Germany. If the businesses collects, processes, or stores data originating from multiple EU member states, the business can choose in which of those states the GDPR representative is located.
The Role of Data Protection Officer
The role of a Data Protection Officer is to review a business´s data protection strategy, make sure it complies with GDPR, and ensure the strategy is implemented. A DPO can be a member of the business´s existing staff, but has to have “expert knowledge” of GDPR and the “ability to fulfill their task” without there being a conflict of interest between their day-to-day role and the role of a DPO.
The responsibilities of a DPO include:
- Educating staff on data subjects´ rights and their responsibilities under GDPR.
- Advising senior management on GDPR-compliant business practices.
- Monitoring data collection/processing/storage practices to ensure they are GDPR-compliant.
- Conducting audits to ensure compliance and address potential issues proactively.
- Assessing IT systems to ensure they are of the required standard.
- Cooperation with the national data protection authority when required.
- Maintaining comprehensive records of all data processing activities conducted by the business, including the purposes of all processing activities, which must be made public on request.
- Interacting with data subjects to inform them about how their data is being used, their right to have their personal data erased, and what measures the company has put in place to protect their personal information. This includes notifying data subjects in the event of a data breach.
Disclaimer: The information above is provided for guidance only. Due to the General Data Protection Regulation being frequently updated, and national data protection authorities applying their own interpretations of the Regulation, this information should not be considered legal advice. If you are unsure about whether your business is required to appoint a Data Protection Officer or GDPR representative, you should seek advice from an independent GDPR professional.