GDPR Article 27 largely deals with protecting the rights of UK (or EU) citizens, in the event of their data being processed by organisations outside of their home country (or outside of their resident political union), largely through the appointment of a formal representative.
Representatives of controllers or processors not established in the Union
- Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
- The obligation laid down in paragraph 1 of this Article shall not apply to:
- Processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
- A public authority or body.
- The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
- The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
- The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
Representatives of controllers or processors not established in the United Kingdom
- Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the United Kingdom.
- The obligation laid down in paragraph 1 of this Article shall not apply to:
- Processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
- A public authority or body.
- The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, the Commisioner and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
- The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
Book a 30 minute chat with us and we’ll show you how
Continued compliance is measured in GDPR Article 27 through four main areas:
In this section we talk about GDPR Articles 27 (1), (2)(a), (2)(b), (3), (4) and (5)
Organisations should define roles and responsibilities that are specific to individual functions contained within their privacy protection policy – both their general policy and topic-specific policies.
Individuals with specific responsibilities should be skilled enough to carry out privacy-related tasks, which should include:
ISO acknowledges that each organisation is unique in the way that they process information. The above areas of responsibility should be accompanied by site and facility-specific guidelines that take into account real world factors affecting an organisations PII-processing operation.
All of the above responsibilities and security areas should be clearly documented and made available to all relevant staff members.
Organisations should nominate an individual that customers (and external authorities) can use as a dedicated point of contact for all PII-related matters (see ISO 27701 Clause 7.3.2).
In addition, organisations should delegate responsibility to one or more individuals for building an organisational privacy governance program that bolsters adherence to localised and national PII laws and regulations.
| GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
|---|---|---|
| EU GDPR Articles 27 (1) to (5) | ISO 27701 6.3.1.1 | ISO 27701 7.3.2 |
We have easy-to-use features that let you start working on data privacy as soon as you log on, regardless of whether you are a novice or an expert looking to integrate multiple standards and regulations.
Data mapping is easy with our PIMS solution. Using our pre-configured dynamic Records of Processing Activity tool, you can easily record and review it all.
If you’re working on privacy standards or regulations, you’ll have to demonstrate that you manage Data Subject Rights Requests (DRR) well. Our secure DRR space keeps it all in one place, supporting it with automated reporting and insight.
Find out how we can help you achieve your GDPR goals by booking a 30 minute demo.
