Not representative
Tim Turner
Practical ??+ theatrical ?? UK GDPR & FOI trainer & consultant. Not GDPR certified (no-one is). Available for hire online or in-person. Will supply own props.
Do not listen to lawyers. Or DP consultants.
Or, at least, don't act solely on a headline or a press release.
Several different articles are doing the rounds, talking in scary terms about a #GDPR fine issued by the Dutch Data Protection Authority on a Canadian firm who they say should have appointed an EU representative, but hasn't. They all seem to trace back to stern words from Wouter Seinen, the head of Pinsent Masons' Amsterdam office, which are specifically aimed at UK businesses. He claims many UK businesses may still be subject to the EU GDPR (technically true), they may be unaware of the representative requirement (very likely), and "it is almost impossible to find an excuse for not having met this requirement" (this is bollocks).
If you don't process EU residents' data at all, the requirement doesn't come into play. If you occasionally process EU residents' data, it doesn't involve large scale special categories or criminal data and is unlikely to involve a risk to people's rights and freedoms, you're exempt. My business is exempt: yours might well be too. It's far from impossible to be exempt. According to the Dutch DPA, the website in question (Locatefamily.com) showed home addresses and sometimes phone numbers of hundreds of thousands of Dutch people without their knowledge or consent, and the DPA received dozens of complaints. Seinen might advise companies to "urgently" review their representative status, but this is one case in three years based on a very contentious use of data. A UK company securely handling EU customer data is unlikely to generate anything like the same level of attention, and so businesses in the UK shouldn't overreact.
Reading a press release isn't enough. If you look at what GDPR actually says, it's clear that the "impossible" line is an exaggeration. If you look at the number of representative enforcement actions there have been, you get a better sense of the risks. I don't know if Pinsent Masons or their commercial partners offer representative services, but it would be nice to know that they don't to gauge where this advice is coming from. In any case, it's overhyped and in my opinion, unhelpfully lacking in nuance.
I'm not saying you shouldn't care: good GDPR compliance is good business. Poor data handling will very likely lead to poor customer relationships, lost profits and (possibly) enforcement or litigation. But the representative element of the GDPR, especially for a company with limited EU customers or low-risk processing, is absolutely not the priority. My advice is to look at security and data quality first, and assess the need for a representative based on reality, not a single case.
And beyond that, as we get to three years of GDPR, surely the DP sector can do better than scaremongering?
https://www.pinsentmasons.com/out-law/news/warning-for-uk-businesses-after-dutch-gdpr-fine
GDPR Consultant, DPO and Author. Director & Owner at Professional Procurement & Project Management
3 年Excellent post Tim Turner - I too have seen an increase in scaremongering about the need for an EU representative - it’s super important to get the message out that the need for an EU representative depends on your situation (as with most things GDPR related)
VP Data Governance and Privacy, Bank of China (UK) Ltd. | CIPP/E | CIPM
3 年It’s so true, Tim. With a bit of research to find out the criteria for an EU rep, a rough and ready analysis of your processing within the EU will usually let you know if you need one. If not, a bit of refinement to that analysis will give you good documented reasoning as to why you arrived at that decision. ‘Show how you worked it out’, as my maths teacher used to say!