EU REP vs. DPO: What is the Difference?
As a consequence of the UK’s exit from the EU, all businesses that process personal data regularly must now appoint an EU representative. Regardless of whether the EU grants the UK adequacy, organisations will still be required to appoint an EU representative. These also include needing to appoint a UK Representative for companies in the EU processing data for UK citizens.
This new development has brought about several questions for UK businesses, the most common ones being; can a Data Protection Officer (DPO) also become an EU Representative? And crucially, what is the difference between these two roles? If you have been asking these very same questions, then look no further!
Comparing the responsibilities
EU Representative
The responsibilities of an EU Representative are relatively straightforward in the sense that essentially, they act as an organisation’s representative in the EU and vice versa for UK Reps. This means that they are the local point of contact for supervisory authorities dealing with data protection and privacy matters. A representative also handles requests from data subjects wanting to exercise their GDPR rights and raises queries and complaints an individual might have against the processing of their personal data.
The EU Data Protection Board states that an EU representative leads to a “one-stop-shop for data breach reporting” under article 33 EU GDPR. Instead of addressing 43 different authorities in the EU, companies with an EU representative need only submit notices to one single authority. It is important to note that the appointed EU representative must be included in the organisation’s privacy policies.
- The EU Representative is the person designated, where appropriate, to represent companies not located in the EU regarding their GDPR obligations.
Data Protection Officer
Even though a DPO must also act as a point of contact for supervisory authorities, the responsibilities of the role stretch much further than this as they are responsible for informing organisations, giving data protection-related advice, and monitoring the overall performance of the security software to ensure it complies with the relevant GDPR requirements.
Within informing and advising companies comes a whole range of tasks including training staff, offering support and guidance across the organisation, conducting audits as well as maintaining and creating procedures and policies. Each DPO role will vary depending on the sector of the organisation and its compliance goals, but each job will require a step-by-step approach to achieve compliance, therefore setting it apart from a representative role.
- As part of the GDPR, a company designates a Data Protection Officer (DPO), whose duty is to facilitate and assess compliance with its GDPR obligations.
Can one person be both?
If an organisation processes personal data of EU and UK residents, depending on the circumstances, they may be required to appoint either a DPO or a Representative or both. A common and logical question most organisations ask themselves is whether these roles can be fulfilled by one person.
This question has no definite answer; however, it has been suggested by the Irish DPC that it is best to separate the roles as there is a potential for conflicts of interest to arise due to the differing focus of each role. Outsourcing one or both roles can mitigate the conflict of interest.
Risks
If an organisation is required to appoint a representative but fails to do so, the Information Commissioner’s Office (ICO), as well as other EU data protection bodies, can issue hefty fines of up to €10 million or 2% of the total world annual turnover.
Not only is there a large financial risk to businesses that don’t appoint a representative, but also the risk to an organisations reputation which will inevitably culminate in customer relations, business collaborations and damage the overall reliability and values of the business. It is imperative that UK companies appoint a rep or prepare to face the consequences.
We understand that running and managing a business is hard enough without the added pressure of GDPR compliance and the new post-Brexit data protection rules. We are also aware that many companies have limited knowledge on GDPR fines, particularly small businesses who do not know about the risks of not appointing a rep so, what better way to let people know than to feature it in this article!
Conclusion
Though seemingly similar, we have discovered that the roles of a DPO and Representative are significantly different. Not only do they have entirely different focuses, but they also feature very different responsibilities. It is important to know which role, if either, your organisation needs and if your business requires both. Based upon expert opinion it is advised that those roles not be given to one person.
If you are considering outsourcing a DPO, need GDPR training, or advice on the latest information about appointing an EU Representative, please get in touch via chatbot, email and phone.
How can we help you?
Get in touch and find out how we can help you achieve your goals