GDPR Readiness: Challenges for Organizations Outside of the EU

by Sarah Harvey / November 6th, 2018

Although the EU’s General Data Protection Regulation (GDPR) enforcement deadline has passed, many non-EU organizations are still questioning what they need to do to ensure compliance. Do they need a designated representative? Where does their designated representative need to be located? Is a designated representative the same thing as a Data Protection Officer? Who do they need to notify that they have a designated representative? How do they do this? In this webinar, learn as KirkpatrickPrice’s Director of Regulatory Compliance, Mark Hinely, and the Founder and Chair of the Board of EDPO, Jane Murphy, answer these questions and more.

The Hidden Obligation Under GDPR: Article 27

Many non-EU organizations have missed a component of GDPR compliance: appointing a designated representative within the EU. This requirement comes from Article 27 of the law, which many people refer to as the “hidden obligation” within GDPR. According to  Article 27, non-EU organizations must designate a representative within the EU if they monitor or process the personal data of EU data subjects. A designated representative can only act on behalf of their client (a controller or processor subject to GDPR) and  acts as a point of contact for supervisory authorities and European clients and assists controller or processors in breach notification.

How can non-EU organizations (that must comply with GDPR) determine if they need a designated representative? First, they need to identify how much and how frequently they are monitor or process personal data of EU data subjects. Second, they must determine if they have an establishment in the EU. This means that non-EU organizations must verify whether they have any organizational links to EU data subjects, which could include employees, clients, investors, or partners. There’s several factors, gray areas, and exceptions for determining whether a non-EU must delegate a designated representative that we’ll discuss in this webinar.

About EDPO

In this webinar, we’re pleased to be joined by Jane Murphy from the European Data Protection Office (EDPO). Jane is Founder and Chair of the Board of EDPO. She is a Belgo-Canadian lawyer specialized in GDPR, corporate law, M&A, and corporate governance. She is also an independent non-executive board director of listed and non-listed companies in Belgium and in France and a member of various committees (audit, risk, legal, compliance, corporate governance and remuneration). She is Vice-President of CanCham Belux, member of the IAPP, and of the DPO Circle. She holds law degrees from Canada and Belgium, an LLM in European and International Law, a Certificate in EU Data Protection from Solvay Brussels School of Economics and Management, and completed a summer program in International Business at Harvard.

EDPO is a privately-held Belgian company located in Brussels that acts as a trusted EU-based representative for companies located outside of the EU that fall under the scope of the GDPR. EDPO provides a certificate that confirms compliance with Article 27 of the GDPR and unlimited assistance in the handling of requests from individuals and data protection authorities across the 28 Member States of the EU. EDPO’s mission is to enable non-EU companies to continue to have access to customers in the EU. Its team of experts creates value for non-EU companies by ensuring legal certainty and by protecting them against sanctions that can reach up to €20 million or 4% of global revenues, whichever is greater.

For more information on selecting a designated representative for non-EU organizations or to find out how your organization can begin your journey toward GDPR compliance, watch the full webinar. To learn more about the GDPR services we offer, contact us today.