The General Data Protection Regulation (GDPR) is the European Union’s (EU) data protection law and is considered the most stringent of any privacy and security laws in the world.
Article 27 of the law requires that companies that are operating outside of the EU but are involved in working in the digital space with the personal data of people or organizations located in the EU, must designate a representative within the EU to communicate privacy-related matters between the non-EU business and the customers receiving the goods or services located in the EU.
Companies outside of the EU should not confuse the representative with a Data Protection Officer (DPO), which is required for all companies. The appointed representative is responsible for only those companies outside of the EU. The sanctions for non-compliance have proven to be severe and can include substantial fines, damage to company reputations, and, in some cases, a loss of business.
With Challenges Come Opportunities
In studying case law regarding GDPR, legal experts find that while the goal is universal legislation with uniformity across organizations, sanction outcomes have been inconsistent. Based on the rulings, a narrative is forming that small, and big companies are targeted. This includes companies that are more vulnerable to being subjected by data governance agencies as an example of what not to do. Other findings reveal fines are heftier for some than others.
Strict governance combined with inconsistent outcomes makes the matter even more crucial in helping clients understand the risks involved in compliance with GDPR. A responsibility has been placed on experts to promote awareness of the GDPR and its four basic principles – legal basis, minimization, transparency and purpose.
In that responsibility, a tremendous opportunity has been created to guide clients in creating solutions for not only current legislation but, in a proactive approach, the needs of clients as they relate to future legal developments. This is especially crucial when considering changing legislation, new local governance and evolving digital technology, like artificial intelligence and machine learning.
Data Protection Reviews Offer Protection
In assisting clients with taking the opportunistic lead on GDPR, rather than become an example of noncompliance, some law firms are offering a “Data Protection Review” to clients and follow-up monitoring to ensure the clients remain in compliance with the law.
For example, Sweden's law firm Wesslau Sӧderqvist Advokatbyrå currently offers clients services to review the companies’ standing regarding GDPR compliance. The firm has identified opportunities in their markets to provide further assistance in helping the companies strengthen compliance requirements and remain in good standing with the law.
Firm members of Santiago Mediano Abogados in Madrid, Spain offers basic analysis for corporations regarding compliance measures as well as advice about the hot topics involved with GDPR. The firm’s approach is personalized, recognizing the differences in companies and the need for case-by-case analysis.
The opportunity to market services for representation to outside EU clients is great. The need for in-depth assistance becomes a call for a range of GDPR products and services provided by law firms throughout the world. The matter certainly deserves additional attention, with discussions regarding preconditions such as establishing credibility and liability.
Henrik Nilsson of Wesslau Sӧderqvist Advokatbyrå moderated a discussion with Guillem Valencia Caballero of Santiago Mediano Abogados in a Mackrell International (MI) webinar titled “GDPR: Representation for Article 27.” Learn more about our Global Privacy & Data Privacy practice group at https://www.mackrell.net/practice-groups/global-privacy-data-security.