Businesses outside the EU caught by the GDPR will need to appoint a representative established in the EU, who will act as the point of contact for data protection regulators.
A representative is not required if the processing is:
- does not include large scale processing of sensitive personal data; and
- is unlikely to result in a risk to the rights and freedoms of data subjects.
The representative may itself also be subject to enforcement action in the event of non-compliance by the data controller.
Practical steps for organisations established outside the EU include the following:
- Evaluate whether you are caught by the GDPR;
- If you are caught, identify and appoint a representative.