BSI launches Article 27 Representative Service for GDPR compliance

The cyber security and information resilience team at BSI has announced the introduction of an Article 27 Representative Service to support organisations with GDPR compliance.

Article 27 of the GDPR mandates that an organisation must have an EU-based representative if it does not have an EU-based establishment and provides goods or services into the EU or monitors EU-based data subjects. The representative is responsible for acting as a contact point for data subjects, the supervisory authorities within the EU, for maintaining a copy of the Article 30 Record of Processing Activities of the non-EU organisation and providing any information the supervisory authorities require for the performance of their tasks such as queries or for supervision activities.

Conor Hogan, global practice lead in the privacy, cyber, risk and advisory division at BSI said: “The Brexit transition period ends on the 31st December and will have a significant impact on data protection compliance for thousands of companies. This affects UK organisations with no establishment in the EU, who sell goods or services into the EU or monitor EU-based data subjects and will also affect EU organisations who have no presence in the UK but sell goods or services into the UK or monitor UK-based data subjects.”

The new privacy service offering at BSI will offer independent expert representation on behalf of global clients to ensure organisations meet both EU and UK data protection compliance obligations. The Article 27 Representative Service is separate to that of a data protection officer, acting as a main point of contact for EU or UK data subjects and EU or UK supervisory authorities for organisations who do not have a presence in the relevant country.

“While Article 27 is not a new addition to the GDPR and applies to organisations all over the world, it does become crucially important when managing business with the UK from the 1st January,” Hogan added. “Organisations need to be aware of the variety of changes the UK’s exit from the EU may bring to their business operations including data protection obligations. Providing the necessary guidance on data privacy compliance depending on the jurisdictions they reside in, the data they process, and the markets in which they trade is where our experts can assist in an efficient and cost-effective way, allowing organisations to focus on their core business activities.”

    Share Story:

Recent Stories


Financial institutions were early adopters of cyber security and insurance. Are they still on top of the game?
Managing huge amounts of sensitive data online makes financial institutions a prime target for hackers. As such, the sector was an early cohort for insurers in creating cyber cover. Since then, the market has evolved almost beyond recognition. It continues to challenge itself to this day, complying with rigorous regulatory demands and implementing avant-garde enhancements to keep abreast of the ever-changing risks. Published June 2021

Manufacturing: An industry at risk amid great technological change
Of the many sectors of business, manufacturing companies are among the most at risk from cyber threats. How has the sector evolved to make it so vulnerable and what does the task of managing cyber exposure in a manufacturing company look like? CIR’s latest podcast with Tokio Marine HCC sought to answer all these questions and more. Published April 2021

Advertisement