New requirements following Brexit
By the end of 2020, major legal changes come into effect as a consequence of Brexit. The EU GDPR ceases to apply in the UK and will be replaced by a British version of the General Data Protection Regulation (UK GDPR). Most of the requirements will remain unchanged, so that companies which have aligned their processes to the EU GDPR will be able to continue their UK business without legal impediments. However, companies must review the legal instruments to ensure compliance of international data transfers from and to the UK.
Moreover, many companies doing cross-border business will be required to appoint a data protection representative in the UK under the new British UK GDPR as of January 1, 2021.
Who has to appoint a representative under the UK GDPR?
All companies without establishments in the UK offering goods or services (even if for free) to, or monitoring the behavior of individuals in the UK will need to appoint a UK representative according to Article 27 UK GDPR, regardless of whether the companies are considered data controllers or processors. The threshold is very low: offering services to the UK via a website directed to UK users will generally trigger the requirement to appoint a UK representative.
Examples of use cases include:
- delivery of goods or services to the UK or accepting payments in GBP,
- search engine marketing campaigns targeting the UK market,
- user tracking of UK residents, e.g. via cookies or device fingerprints,
- products with an international nature, such as in the transport and travel industry,
- performance of clinical trials or market surveys in the UK.
Duties and role of the representative
The UK representative shall act as local contact point for British individuals and UK data protection supervisory authorities, and represent the company with regard to their respective obligations under the UK GDPR.
For example, administrative notifications delivered to the UK representative can have legal effect for the company. UK GDPR representatives should therefore have experience with European data protection laws in order to assess risks.
The UK representative:
- must be established in the United Kingdom,
- needs to be designated in writing,
- shall act on behalf of the company and therefore needs power of attorney,
- maintains records of processing activities (Article 30 UK GDPR) of the company.
Fines
If a company needs to appoint a UK representative but fails to do so, this may lead to fines of up to GBP 8,700,000.00 or 2% of company’s annual group turnover, whatever is higher. Non-compliance with the obligation to appoint a UK representative is easily visible, as the contact details of the representative generally needs to be provided within the privacy policy.
Exemptions
The obligation of appointing a UK representative does not apply to cases where the legislator anticipates a small risk from a privacy perspective. This is the case if processing only takes place occasionally, no sensitive personal data is involved, and the processing is unlikely to result in a risk to the rights and freedoms of individuals. All these conditions have to be met cumulatively; therefore it is very rare that a company falling into the territorial scope of the UK GDPR can benefit from that exception.
Appoint DP Dock as your UK GDPR representative
DP Dock has a subsidiary in the United Kingdom and is thereby able to offer UK GDPR representative services. Appoint us and benefit from:
- our experience regarding data privacy compliance at an international scale,
- our network to immediately contact experienced privacy lawyers on the spot in case of official investigations,
- the opportunity to easily combine the service with an EU GDPR representative option if required.
Please get in touch if you need a UK GDPR representative, or in case you are uncertain whether you are required to appoint one. We are also happy to offer our services to law firms and data protection consultants as a subcontractor.