Businesses outside the EU caught by the GDPR will need to appoint a representative established in the EU, who will act as the point of contact for data protection regulators.

A representative is not required if the processing is:

  • occasional;
  • does not include large scale processing of sensitive personal data; and
  • is unlikely to result in a risk to the rights and freedoms of data subjects.

The representative may itself also be subject to enforcement action in the event of non-compliance by the data controller.

Practical steps for organisations established outside the EU include the following:

  • Evaluate whether you are caught by the GDPR;
  • If you are caught, identify and appoint a representative.