The Risks Of Not Having An Article 27 Representative
JANUARY 30, 2019
With the GDPR in order, the actions one must take in appointing a Representative are quite clear. But, why should you? What would happen if you don’t comply? If you are not based in the EU and you fail to appoint a representative for your business which holds EU based personal data, you are in breach of the GDPR.
Simply put, you are breaking the law and failing to comply with your legal obligations. This is not optional and can be heavily fined.
There are two tiers of administrative fines for the purposes of the GDPR.
Infringement of Article 27 itself, i.e. failing to appoint a representative in the first place, is subject to the first tier of administrative fines of up to €10,000,000 or up to 2% total worldwide annual revenue of the preceding financial year, whichever is higher.
Furthermore, while the failure to appoint a representative is in itself non-compliant with the GDPR, whether or not the business has appointed a representative is one of the factors to be taken in account in assessing the level of the second tier of administrative fines of up to €20,000,000 or up to 4% total worldwide annual revenue of the preceding financial year, whichever is higher, for more serious breaches of the GDPR.
The degree of responsibility shown by the business in regards to taking into account technical and organizational measures in its compliance with GDPR will be taken into account in assessing fines. As a result, businesses that fail to appoint a representative, not only face direct fines for failing to do so but also face increased fines for other aspects of GDPR non-compliance. The risks here are very significant and detrimental for small to medium businesses.
Apart from fines, the GDPR introduces civil liability for businesses pursuant to which any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the business for the damage suffered. The GDPR also introduces a type of class-action action system where not-for-profit agencies can take legal action against businesses on behalf of groups of consumers.
Given the exposure to civil liability for breaches of GDPR, one of the most important things that businesses should be doing now is to insure themselves against these risks. While cyber liability insurance may be used to mitigate these risks in business, it should be borne in mind that implicit in your utmost good faith insurance contract will be your obligation to comply with your legal requirements. If you have chosen not to appoint a GDPR representative for your business, you may be invalidating the very insurance that you are paying for to protect you against that risk in the first place.
Flor McCarthy is one of Ireland’s leading lawyers and a recognised expert in marketing. He has particular expertise and hands-on practical experience in privacy, data protection and GDPR issues for marketers. He is certified by the Law Society of Ireland in Data Protection Practice and lectures lawyers on data protection practice and compliance. He is managing partner of a multi award winning niche legal practice. He has been in private practice for over 20 years and has been elected by his peers to sit on the exclusive Council of the Law Society of Ireland, the governing body for Irish lawyers.
If you process data on EU data subjects and appreciate that compliance with the GDPR is essential for risk management, data-security and customer-confidence in your international business and you feel that you are a good fit for our services please click the button below to schedule a free call with us today.
During the call we’ll answer any questions you may have and we’ll go through our service in full detail so that you have a complete understanding of our solution and how it can benefit your business. We look forward to speaking with you.