Brexit and GDPR representatives

EU data protection law will no longer apply to the UK when the Brexit “transition” period ends on 31 December 2020.

This will change the data protection landscape for organisations in the UK. It will also change the legal rules for some organisations in the rest of the European Economic Area (EEA) and elsewhere in the world.

New requirements to appoint GDPR representatives

As part of these changes, there will be new requirements to appoint GDPR representatives.

This will potentially affect organisations in three categories.

1. Organisations based in the UK will need to consider whether they need an EU representative to comply with the EU’s GDPR.

This is likely to be the case for UK organisations that have no physical presence in the EEA (such as a subsidiary, office or employees) but either:

• target customers in the EEA (such as by using their currency or language, or offering specific terms or delivery options); or
• monitor the behaviour of individuals in the EEA (such as their internet usage).

 2. Organisations based in remaining EEA countries will need to consider whether they need a UK representative in order to comply with the new “UK GDPR”.

This is likely to be the case for organisations that have no physical presence in the UK, but either:

• target UK customers (such as by accepting payment in GBP, or offering UK-specific delivery terms); or
• monitor the behaviour of individuals in the UK (such as their internet usage).

 3. Organisations in the rest of the world (with no physical presence in the UK nor in remaining EEA countries) may need:

• A UK representative in order to comply with the UK GDPR (if they target customers or monitor data subjects in the UK); and possibly also
• An EU representative in order to comply with the EU GDPR (if they target customers or monitor data subjects in remaining EEA countries).

What are the exceptions?

Both the EU GDPR and the new “UK GDPR” allow exceptions from the requirement to appoint a representative.

There’s one exception for public bodies. There’s another exception for organisations that only carry out occasional, low-risk processing of personal data, and don’t process special category data to a significant degree.

But the exceptions are designed to be narrow, so are unlikely to apply to the majority of commercial organisations.

Will a UK representative have the same role as an EU representative?

After 31 December 2020, the new “UK GDPR” will closely mirror the EU GDPR.

This means that, at the start, a UK representative is likely to have the same role in the UK as an EU representative carries out in the EEA. This will include communicating with data subjects and regulators and managing the records of processing that are required by Article 30 (under both the UK GDPR and EU GDPR).

There’s a possibility that the UK law and EU law may diverge over time. But there’s no sign yet of significant changes on either side.

How DataAgent can help

We’re based in Ireland and have a subsidiary in the UK.

This means we can serve each of the three categories of organisations described above.

In other words, we act as:

• EU representative for organisations in the UK that need a representative under the EU GDPR and have some customers or data subjects in Ireland;
• UK representative for organisations in the EEA that need a representative under the UK GDPR; and
• Representative in the EU and/or the UK for organisations in the rest of the world, depending on their needs.

We offer detailed service guarantees that cover every situation –including litigation and investigations. Our fixed monthly fees cover all our time, for the lifetime of your subscription – no matter what happens.

To find out more, you can read our FAQs or contact us.