EasyLife Faces Double-Whammy Data Protection Fines
EasyLife has made the headlines today, with two fines from the ICO for £1.35 million and £130K respectively. But how did this happen?Learn More
March 2, 2021
Just as we had all gotten comfortable with the term Data Protection Officer, suddenly some new kids have arrived on the scene – the EU Representatives and UK Representatives. But what are these roles? Does your business need to appoint them? Does their (or your) location matter?
For a moment let’s step back in time, it’s the 80s. The hair is big and the shoulder pads are bigger. The UK has signed up to the European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and implemented its own legislation, the Data Protection Act 1984 (the 1984 Act).
The 1984 Act was concerned with the data users carried on a computer bureau. It meant that if you were a person that used a computer to process (at the time that meant amend, augment, delete, rearrange or extract) personal data then you needed to formally register. As part of your registration, you needed to include your name and address, a description of the data, the purpose for which it was used for and how you obtained it, who you planned to share it with, any countries outside the UK you planned to share it with and an address for data subjects to submit any rights requests.
The 1984 Act provided for a Data Protection Registrar who approved or disapproved data user registration applications, allowed the public to review the register and served enforcement notices on registered data users that contravened the data protection principles. Then there was the Data Protection Tribunal (formed of barristers, advocates or solicitors with at least 7 years’ experience) with members to represent the interests of data users and members to represent the interests of data subjects. A data user could appeal to the Tribunal if their application was refused or they received an enforcement notice, de-registration notice or a transfer prohibition notice (and if the data user was unhappy with the Tribunal decision, they could then take the appeal to court).
But no mention of a Data Protection Officer (or Representatives for that matter).
Fast forward to the 90s. In the UK we had the Spice Girls, Oasis and the Data Protection Act 1998 (the 1998 Act).
Things had moved on in the realm of computers – goodbye bureaux. The law had gotten savvier too, instead of data users we now had data controllers and data processors and the legislation applies to hardcopy personal data too (not just information on computers). So the law applies if you process (which in its 90s iteration meant – *big inhale* - to organise, adapt, alter, retrieve, consult, use, align, combine, block, erase, destroy or disclose by transmitting, disseminating or otherwise making available) personal data recorded to be used on equipment operating manually in response to instructions or to form a relevant filing system.
Instead of a Registrar we now had a Data Protection Commissioner (with staff), but the Tribunal remained the same (although they now had staff too!).
There was still no mention of a Data Protection Officer in the 1998 Act but by this point a role had begun to form organically. The scope of the legislation had dramatically increased – it was no longer just about information held on computers, and far more activities now fell under the definition of processing personal data. It became clear that more (wo)manpower was needed – you can see a trend with the fact that the Commissioner and the Tribunal needed staff to assist them.
So evolved the role of the (lowercase) data protection officer. An individual who got lumped with the data protection stuff (lucky devil, we say) but no clear framework of what their role covered, other than “deal with the stuff”.
Fast forward again to 2016 to the implementation of the the General Data Protection Regulation and, still part of the European Union, the UK implemented the regulation into domestic law with the Data Protection Act 2018 (the 2018 Act).
The reach of data protection law was extended once more. Personal data now includes not only information which identifies a living person, but also information which could be used to identify a living person. We live in an online information age and this change reflects that our digital identity is not just our social media handles and profile pics, but our IP addresses and the cookies which track how we interact with websites (and can be used to indicate what sort of products we might buy or interests we appear to have).
Since 2005 Data Protection Commissioner has been known as the Information Commissioner (to reflect their increased responsibilities in relation to freedom of information and environmental information).
For the first time role of the Data Protection Officer became a statutory concept, but not an alien one – because changes in business, technology and information use had already set the ball rolling.
The 2018 Act sets out the tasks of the DPO, so rather than just doing “the stuff”, it’s clear that this is a role that:
The person fulfilling the role of DPO must have professional qualities and expert knowledge of data protection law and practice. It is intended to be a senior role, that reports to the highest level of management and has independence in the fulfilment of their tasks. A DPO cannot be dismissed or penalised for performing their tasks (because they need to be free to say that the controller is doing something wrong, or compliance is poor).
This person can be an employee, whether full-time or in conjunction with another role they do (as long as it doesn’t result in a conflict of interest when they are doing their DPO tasks). The business might choose to outsource the DPO role instead, which is also permitted if there is a service contract in place.
The DPO is the go-to for data subjects’ complaints and any rights request, and the point of contact at the business for the Commissioner if there are any investigations or queries.
Not every business needs a DPO. But having a DPO is mandatory for data controllers and processors if they are:
Since the DPO seems to have everything covered, where does the Representative come into this, and what do they do? What’s the difference between a Representative and DPO? How come we only really seem to have heard about this role recently?
One of the more remarkable parts of the GDPR is just how far it extends. The trend mentioned earlier continues – not just wider definitions, more responsibilities, higher limits on fines – but also a wider reach. If your business is based somewhere in the world outside of the European Economic Area (EEA) but you offer goods or services to individuals within the EEA or you monitor the behaviour of those individuals in the EEA – then you have to comply with the GDPR.
But how are the supervisory bodies (the authorities in each country tasked with upholding the data protection law) supposed to check compliance if your business is on the other side of the globe? Who are the data subjects supposed to contact?
Enter the Representative.
Unlike the DPO (whose tasks are now neatly laid out in the law) the role of the Representative is not so clear. The GDPR includes some concrete pointers – your Representative needs to be established in an EEA country where you’re processing the data of EEA data subjects and they need to be explicitly designated by your written mandate.
Their task is a bit woollier. The Representative must be addressed on all issues related to processing of personal data of data subjects within the EEA, for the purpose of ensuring your business complies with the GDPR. It envisages that this will be by supervisory authorities and data subjects, but it is open for others to contact the Representative. It is also clear that having a Representative does not absolve your responsibility or liability under the GDPR.
But other than that, the GDPR itself is pretty quiet on what the Representative does so it was a bit of a relief when some guidance was issued that gave a little bit more clarity. Reading the GDPR and the guidance together, the tasks of the Representative are:
Whilst some of these tasks might seem to overlap with the DPO role (e.g. acting as a point of contact) the guidance emphasises that the Representative should not also be the DPO - they are definitely separate roles.
A Representative does not need to be employee, they do not even need to be an individual – (although if you nominate an organisation to be your Representative, they should name a lead contact). They should be able to communicate in the language of the data subjects and supervisory authority.
So how could we summarise the difference between the two roles? The DPO is an adviser, an expert and has protected independence. The Representative is more of a conduit (although their written mandate may include additional tasks) and they act on instruction.
If your business is outside the EEA and you:
You do not need to have an EU Representative (hurray!)
Even though it was created in 2016, one of the reasons that the role of Representative might sound like a new role is because when the UK was part of the EEA, this part of the GDPR did not apply to UK businesses. Now UK businesses need to consider whether their processing of personal data in the EEA might mean that they need to consider appointing a Representative.
To confuse things even more, the UK has copy-pasted GDPR into domestic law so that there is now a UK GDPR. We can see that the Keeling Schedule (the document showing amendments made to legislation being incorporated into domestic law) simply crosses out European references and inserts UK equivalents.
For businesses outside of the UK who offer goods or services to individuals within the UK or monitor behaviour of individuals within the UK, this means they may need to appoint a UK Representative.
Freshly out of Brexit, the UK has the benefit that our domestic protection laws remain largely aligned with the original European legislation (and the UK Government has committed to no major changes until at least 1 May 2021) – so the tasks as explained are basically identical (albeit it’ll either be a supervisory authority or the ICO who regulates compliance).
Depending on your business, you could therefore feasibly find yourself in a position where you might need a Data Protection Officer, an EU Representative and a UK Representative all at once!
It might all sound a bit confusing, but it boils down to understanding what personal data your business is processing, which individuals that personal data relates to and where those individuals are located. If you’d like to talk about whether your business might need to appoint one of these roles, give us a shout. At Stephenson Law – we love untangling this sort of stuff and making it all make sense.
We’re the experts in getting data on your good side. Find out more about our data protection offering here.