What's the Difference Between GDPR Representatives and DPOs?
For clarification, UK and EU representatives do the same role, but for different jurisdictions. Often the term “GDPR representative” is used to describe both EU representative and UK representative roles–it all depends on the context. You’ll know which one is being referred to by looking at the jurisdiction they work in.
Similar names, different responsibilities
They may have a similar sounding name but do not get confused with these distinctly different roles. A Data Protection Officer (DPO) is responsible for reviewing the business’s data protection strategy and ensuring that the business complies with GDPR. A DPO must have “expert knowledge” of GDPR and can either be an external staff member or can be a member of a business’s existing staff who has the capacity to take on the role of DPO.
In contrast, a UK or EU representative is an individual or agency who acts as a go-between for businesses and their customers, or relevant privacy authorities in the jurisdictions where the company wants to do business in, but doesn't have an establishment.
A key difference to note between a DPO and a UK/EU Representative is that the Representative is not responsible for GDPR compliance.
When do businesses need DPOs?
Any business that has a physical operating presence in either the UK or EU and that processes data in “large volumes” or data that is considered “sensitive data”--either of which relates to UK or EU data subjects--will be required to appoint a DPO in accordance with Article 37 of GDPR for EU businesses, or in accordance with UK GDPR rules.
The regulations in GDPR itself do not define what exactly “large volumes” of data are, so instead, we look to national data protection authorities who have issued advice on the subject. (DLA Piper has a helpful tool to find data protection agencies for each country.) This guidance also includes examples to demonstrate the differences of “large volumes” of data depending on different circumstances of data collection and control.
Why do we need UK/EU Representatives when we have Data Protection Officers?
Often, the role of DPO and the role of representative is confused–some people might assume that because DPOs have more responsibilities to ensure compliance, that having one in your team removes the need to have a representative. It doesn’t. It might also seem obvious to a business that they should always choose a DPO who is responsible for enforcing data processing and controlling practices that meet GDPR needs–and that may be true–but the two roles are not mutually exclusive..
A UK or EU representative is required when a business has no physical operating presence within the jurisdiction where it processes data on subjects of that jurisdiction. Think of the representative as a fire marshall, guiding people where to go, whereas the DPO is the firefighter, directly tackling the fire.
How to choose the right privacy and legal support for your startup
Running into privacy issues with your clients can have a negative impact on your business. From losing customers, to making your company vulnerable to non-compliance fines, and even putting off investors, privacy matters are not to be ignored or taken lightly.
If you need advice on privacy-related matters, book a call with a member of our team today. Our privacy experts can offer support and help with GDPR matters and we also provide UK representative services too.