Many US and Australian businesses are unknowingly breaking GDPR rules by not complying with Article 27, which requires the appointment of representatives in the UK and EU markets. This oversight could lead to significant fines and market restrictions for companies selling to or monitoring people in these regions.
John McVeigh, founder of AssureMore and GDPR specialist, explains: “Post-Brexit, the need for separate UK and EU representatives often surprises businesses. For instance, a US online shop selling to both UK and EU customers could potentially need two different representatives to comply fully with Article 27 of GDPR.”
It’s important to note that this requirement doesn’t apply to companies ‘established’ in the UK or EU. However, compliance is essential for those without such establishments.
While exact numbers aren’t available, industry estimates suggest a significant portion of non-EU/UK businesses targeting European markets may not be following GDPR representative rules. This widespread issue puts many companies at risk of penalties, with fines potentially reaching €20 million or 4% of global yearly turnover, whichever is higher.
The consequences of non-compliance extend beyond financial penalties. “Non-compliant businesses might face restricted access to European markets, impacting their competitiveness and growth potential,” McVeigh notes.
Recent enforcement actions underscore the importance of GDPR compliance. While the largest fines have been for broader GDPR violations, the requirement for a representative remains a crucial aspect of compliance.
McVeigh advises: “US and Australian businesses must urgently assess their GDPR compliance status in both UK and EU markets. Appointing a single point of contact offering dual representation services can streamline compliance efforts and reduce risks effectively.”
It’s important to understand that while the UK-EU data adequacy decision facilitates data transfers between these regions, it doesn’t exempt non-EU/UK companies from GDPR representative requirements when targeting customers in either market.
US and Australian businesses looking to ensure full GDPR compliance across UK and EU markets are encouraged to consult with experts for tailored guidance and representation services.
By addressing these GDPR obligations, including the Article 27 requirement, companies can protect themselves from potential penalties, maintain access to valuable European markets, and demonstrate their commitment to data protection in an increasingly privacy-conscious global marketplace.
Additional Reading:
- https://gdpr.eu/companies-outside-of-europe/
- https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers/international-data-transfers-building-trust-delivering-growth-and-firing-up-innovation
- https://www.assuremore.com/
