Why the GDPR article 27 Representative matters

Appointing an Article 27 Representative is an easy step to show compliance and send a strong message to EU consumers and data protection authorities

There appears to be a global movement of reform in the field of data protection law: first the GDPR, then the California Consumer Privacy Act last June, followed by Brazil’s General Data Protection Law in August, and soon India’s Protection of Personal Data Law. With the GDPR now in force since 25 May 2018, it’s no longer about getting ready for an impending change in regulation: it’s about making sure your company complies to the new rules. Businesses are now devoting increasing resources to compliance. According to a recent report by the International Association of Privacy Professionals and Ernst Young, the top Global 500 firms plan to spend a combined $7.8 billion on GDPR compliance.

Although companies are beginning to realize the full measure of their new obligations under GDPR, there is still a blind spot in the debate: the necessity of appointing an article 27 representative for companies located outside the EU.

What exactly is an article 27 Representative?

It’s a person that you must appoint if you are a company or an organization located outside the EU to act as a go-between for you and local data protection authorities and EU consumers. You will need to appoint one if you are a non-EU company that offers goods and services to EU customers or processes their behavioral data for monitoring purposes. In short, article 27 Reps are there to make sure that EU authorities have someone to talk to when they are concerned about the way you handle the data of EU consumers. It ensures that the GDPR effectively applies not only to companies located inside the EU, but also to those outside the EU.

Another reason why people tend to overlook the art. 27 Rep is that it is often confused for the new Data Protection Officer (DPO). There is one key difference between the two: the art. 27 Rep serves to establish a physical point of contact for regulatory authorities on EU soil when a company is located outside the Union, whereas the DPO has to be designated regardless of the company’s physical location when conditions for DPO-designation apply. Also, whereas the DPO will try and infuse a culture of data-protection within the company, the Rep is here mainly to ensure that there is effective communication with EU data subjects and data protection authorities.

The costs of non-compliance

There’s a strong financial impetus to appoint a Rep: while, as often, the cost of compliance can seem high at first sight, it’s comparatively low when you take a look at how heavy fines can be in case of non-compliance. Failing to appoint an article 27 Rep is considered an infringement of the GDPR pursuant to article 83. This means that it could lead to a fine by a data protection authority up to 2% of global turnover or €10 000 000, depending on which is highest – and you can add the cost of litigation on top of that. Needless to say, it’s safe to appoint an art. 27 Rep., even if you think the odds of getting fined are low, especially given the fact that the reputational cost of being stigmatized as a non-compliant foreign company can run high. In 2016, WhatsApp made headlines when it was fined by the Hague Administrative Court for failing to appoint a Representative under Directive 95/46/EC of 1995, the GDPR’s ancestor.

A boost to your business in the EU

Appointing an art. 27 Rep is a quick and easy way of showing regulatory authorities and EU consumers that you care about data protection and that you are ready to engage in a dialogue with them. It shows a willingness to address privacy-related topics in an open and transparent way while welcoming consumer complaints when they occur. As your company develops its activities in the European Union, it is essential that it demonstrates this state of mind if it wants to acquire new customers and in order to avoid any unnecessary friction with data protection authorities that might cause incidental reputational damage. It sends a signal to the regulator, and it shows a clear commitment to take privacy seriously. From a commercial point of view, it helps strengthen consumer trust and paves the way for growth opportunities in the EU.

Need a GDPR representative? Feel free to contact us: contact@sybil-dataservices.eu