With the GDPR in order, the actions one must take in appointing a Representative are quite clear. But, why should you?  What would happen if you don’t comply? If you are not based in the EU and you fail to appoint a representative for your business which holds EU based personal data, you are in breach of the GDPR.


Simply put, you are breaking the law and failing to comply with your legal obligations.  This is not optional and can be heavily fined.

There are two tiers of administrative fines for the purposes of the GDPR.

Infringement of Article 27 itself, i.e. failing to appoint a representative in the first place, is subject to the first tier of administrative fines of up to €10,000,000 or up to 2% total worldwide annual revenue of the preceding financial year, whichever is higher.

Furthermore, while the failure to appoint a representative is in itself non-compliant with the GDPR, whether or not the business has appointed a representative is one of the factors to be taken in account in assessing the level of the second tier of administrative fines of up to €20,000,000 or up to 4% total worldwide annual revenue of the preceding financial year, whichever is higher, for more serious breaches of the GDPR.  

The degree of responsibility shown by the business in regards to taking into account technical and organizational measures in its compliance with GDPR will be taken into account in assessing fines.  As a result, businesses that fail to appoint a representative, not only face direct fines for failing to do so but also face increased fines for other aspects of GDPR non-compliance. The risks here are very significant and detrimental for small to medium businesses.

Apart from fines, the GDPR introduces civil liability for businesses pursuant to which any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the business for the damage suffered.  The GDPR also introduces a type of class-action action system where not-for-profit agencies can take legal action against businesses on behalf of groups of consumers.

Given the exposure to civil liability for breaches of GDPR, one of the most important things that businesses should be doing now is to insure themselves against these risks.  While cyber liability insurance may be used to mitigate these risks in business, it should be borne in mind that implicit in your utmost good faith insurance contract will be your obligation to comply with your legal requirements.  If you have chosen not to appoint a GDPR representative for your business, you may be invalidating the very insurance that you are paying for to protect you against that risk in the first place.


Appointing an Article 27 Representative is easy, accessible and affordable. Go HERE to find out more and be GDPR Compliant in a matter of minutes.

Read more about EU Business Partners.