Following the introduction of the General Data Protection Regulation (GDPR), in May 2018, each business or organization will report to a Lead Supervising Authority (LSA), in that this will be where they get any advice and guidance that they need. More importantly, the LSA will be responsible for determining the fines and sanctions that are applicable, should a business be found to be non-compliant.
Although each LSA will have some leeway in making decisions, it’s expected that they will liaise with other LSAs, throughout the EU. This will help to maintain a level of uniformity throughout.
Choosing the applicable LSA
For most businesses or organisations, it will be obvious which their LSA is. It will normally be the one that is based in the same country as them. But, what happens when a business has more than one base, where data is processed in different locations, or where the business is not based within the EU?
If there is more than one business location, the appropriate LSA will normally be the one that is located in the same EU state as the main business location.
If the main data processing unit is elsewhere, this location will normally determine which LSA should be used. For instance, if the main data processing centre for a business is based in Berlin, the business will use the German LSA.
According the Article 29 Working Party, if a business is based outside of the EU, it will need to choose a entity in an EU state which has responsibility for its data processing. This entity must be compliant with GDPR, and must have the means to withstand the possible imposition of large fines, should there be an issue with non-compliance. Once this entity has been chosen, it is location will determine which LSA is appropriate.
It is likely that Ireland will be a popular choice as the base for nominated data processing entities, as together with Malta, it will be one of only two English speaking states remaining in the EU after Brexit, meaning that businesses may prefer to deal with the Irish LSA.