The need for many companies to appoint a UK Data Protection Representative post-Brexit is a “hidden” GDPR obligation that may come as a surprise to some after the end of the transition period, writes Tim Bell.
Brexit is changing many things about the ways in which companies operate – both within the EU and UK, and also for those outside both. International trade, in particular, is facing a significant upheaval to any trading which will involve the UK (or, for UK companies, almost all international trade, which had been governed pre-Brexit by EU rules and treaties).
Many of these changes are well-documented and catered for, but one of the GDPR-related changes has received considerably less publicity – the obligation for companies to appoint a Data Protection Representative if they don’t have an in-jurisdiction location.
To quickly recap the pre-Brexit position: GDPR Article 27 requires a company which is impacted by GDPR as a non-EU company (under Article 3(2) for a company which has no EU establishment but provides good or services to the EU, or monitors people there) to appoint a Representative in the EU to receive communications on their behalf within the Union from individuals wishing to exercise their rights and Data Protection Authorities which wish to raise any questions about the data processing activities of those companies.
This requirement has been deemed the “hidden obligation” of GDPR, because many of the companies to which it applies – typically non-EU SMEs which market internationally but don’t have the scale to justify an EU office – simply don’t have sight of it. Many of these organisations prepared for GDPR using the materials which were available online, written by EU lawyers and consultants to attract EU clients. The obligation has, with fair reason, also been omitted from the discussion within Europe, because it generally hasn’t been a requirement.
However, Brexit changes that in two ways:
- UK companies (and other companies whose only EU location was in the UK) will now need to appoint an EU Representative (or establish an EU location) if they wish to continue trading with the EU
- EU companies (and other companies whose only EU location(s) were outside the UK) will need to appoint a UK Representative, a new role created by the UK’s implementation of GDPR into local law
To simplify – if a company is impacted by GDPR and has no location in the EU and/or the UK, it is required to appoint a Data Protection Representative in that/those jurisdiction(s) if they wish to continue trading there.
The UK Representative is a new role, created by amendment made to The Data Protection Act 2018, post-Brexit, by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019). The Data Protection Act 2018 brought the GDPR into direct effect in the UK, and the Amendment Regulations alter the wording of the UK GDPR so that it refers to the UK, rather than to the EU. The effect on the UK version of GDPR Article 27 is that companies outside the UK, which provide goods/services to the UK or monitor people there, are now required to appoint a UK Representative in writing, to act as their point of contact for UK data subjects and the UK Information Commissioner’s Office (ICO).
Because this has been the “hidden obligation”, this change will come as a surprise to many; particularly as there hasn’t been any change to GDPR itself (which has been enforceable now for over two and a half years), just the way in which it’s applied to the UK as a ‘third country’.
There are a few limited exclusions, in particular for public sector organisations, but the most-commonly quoted exclusion – for ‘occasional’ use – is often misapplied with wider-than-intended application; as with the exclusion from the DPO obligation for this purpose, it is the type of processing which must be occasional, not the EU element of it (i.e. if only small amount of EU personal data is processed, but that processing is a standard business process of the data controller/processor, that is unlikely to be deemed ‘occasional’ processing for the purposes of this exclusion).
The result is clear: many companies, except those with a significant global footprint including offices in both the EU and UK, are going to need to appoint a new Representative as a result of Brexit. If they already had an obligation to appoint a Representative in the EU, they may need to arrange a separate UK Representative appointment, or seek a Representative which has establishments in both the EU and UK.
The table below provides a quick summary of how the situation changes:
Tim Bell, managing director, DataRep and DataRep UK
The largest data protection, privacy and security event of 2020, now available on-demand!
Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.
You can access the content from all four days, by registering for access to our PrivSec Global platform below.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.