GDPR DPOs and EU representatives – do you need them?

You are an organization based in North America. You have customers in the EU. You experience a data breach. So what?

Despite being an EU law, the GDPR (General Data Protection Regulation) is reshaping data protection practices for many North American companies too. After all, the Regulation applies to any organization in the world that monitors the behavior of, or offers goods and services to, EU residents. Download our free green paper to find out how this could affect you.

Organizations are obliged to appoint a DPO (data protection officer) if they regularly and systematically monitor data subjects, or process special categories of data on a large scale. Since the GDPR came into effect in May 2018, the international of DPOs has increased. It isn’t always easy to find someone suitable, as they must have expert knowledge of data protection law and practices, be independent, and have no conflicts of interests (i.e. they don’t determine the purposes and means of processing the personal data).

Outsourcing your DPO

You don’t need to employ a DPO in-house. Some benefits of outsourcing the DPO role are:

  • Cost-effective compared to hiring a privacy professional full time
  • You can rely on several experienced DPOs rather than just one, which means that you have more hands on deck, should you suffer a breach
  • The DPOs are available 24/7, and there’s no vacation or sickness time
  • There are no conflicts of interest

IT Governance USA offers DPO as a service on an annual subscription basis. You’ll get a certain number of hours each month to use the services of our DPOs.

EU representatives

A DPO is not the only appointment you need to make.  Under Article 27 of the GDPR, organizations in scope of the Regulation and without a physical presence in the EU need to designate an EU-based representative to, on behalf of or in conjunction with the organization, deal with various aspects relating to data protection. 

You need to appoint an EU representative unless:

  • You are a public authority or body
  • You have a subsidiary based in the EU that has control over data-related decisions
  • You process data from EU residents only occasionally
  • You do not process special categories of data or data relating to criminal convictions
  • Your processing is unlikely to result in a risk to the rights and freedoms of individuals

Appointing an EU representative

We can be your GDPR EU representative. This means we will:

  • Register our EU address as your GDPR representative address
  • Act as the first point of contact for communications received from EU-based data subjects in relation to the GDPR
  • Act as the first point of contact for communications received from EU supervisory authorities and liaise with them on all matters pertaining to the GDPR
  • Hold a record of your processing activities and make these available to the data protection authorities at their request

Both DPO as a service and GDPR EU Representative are in our #BreachReady promotion. Choose from these and other services, tools, and training and get up to 20% off.

#BreachReady banner 2