If you are doing business in the EU from outside the EU then you will need to “designate a representative". Our bespoke Designated Representative service will ensure your compliance with GDPR and will act as the first point of contact on your behalf with all EU Data Protection Authorities.
Are you operating in the EU from outside the EU?
If the answer is yes – Under Article 27 of the GDPR, you will need to “designate a representative in the EU“. This applies even where an organisation is not established within the EU and you will still be regulated by GDPR if you process personal data of data subjects who are in the EU where the processing activities are related “to the offering of goods or services“ (Article 3(2)(a)).
Critically, this applies even when no payment is required; to such data subjects in the EU or “the monitoring of their behaviour“ (Article 3(2)(b)) as far as their behaviour takes place within the EU. Internet use profiling (Recital 24) is expressly referred to as an example of monitoring.
GDPR now requires any Non-EU company that targets EU consumers to conform to a unified privacy regime that is very different from, for example, the U.S. sector-based laws currently in place. For those without a current model, building, testing, and deploying the sophisticated data infrastructures and security systems that GDPR demands — plus instituting new policies and procedures — will be a massive undertaking. Preparing internal processes and controls can take a significant amount of time for any company — and there will be no additional grace period now the law has gone into effect.
Potential fines are severe for companies that violate GDPR, particularly if regulators find evidence of negligence, willful disregard for known compliance shortcomings, or harm to a large number of EU residents through, for example, a security breach. Companies that are found to have willfully violated the new rules could face fines of up to 4 percent of their prior year’s global net revenue. For a U.S.-based company with $500 million in sales, that translates to a potential liability of $20 million.
Fines aside, by addressing the challenges posed by GDPR, particularly those around information security, companies can enjoy many broad business benefits. Building data inventories, conducting security assessments, and strengthening privacy protocols can bolster legal and compliance initiatives, as well as enhance a company’s reputation. Even if certain companies do not need to comply immediately once rules are clarified, they may find themselves subject to regulatory bounds sooner rather than later. Many experts
believe that GDPR has the potential to become a de-facto global standard for data governance and privacy. Embracing these regulations now may very well translate into a competitive advantage down the road.
Give us a call and find out what we can do to get you on the road to compliance.