Sorting out the complexity involved with employing a data protection representative
In my previous blog, “GDPR 101: What’s a Data Protection Representative?” I provided guidance from Tim Bell, managing director of DPR Group, about the responsibilities of the data protection representative (DPR), a role required by Article 27 of the EU’s General Data Protection Regulations (GDPR). In this blog, Tim answers my questions about how to comply with Article 27. (DPR Group provides EU representative services in all 28 EU member states.)
Does the DPR have to be an employee or can a third party act as the DPR?
It’s unlikely that the DPR will be an employee of the data controller/processor required to appoint one. Because the representative must be in the EU, and is only required where a company has no establishment in the EU, the company in need of a DPR is unlikely to have anyone located in the EU. It’s anticipated that the role of the EU representative, or DPR, will mostly be taken up by specialist companies. Traditional advisors like law firms will generally resist accepting this role, as they won’t be comfortable with the liability it attracts — the courts can look through corporate structures in an effort to recover sums from group parent companies.