Tim Bell, the founder and managing director of DPR Group, which provides EU representative services, explains why UK companies may need to appoint an EU Representative post-Brexit to remain GDPR complaint
This article is the view of the author and not necessarily of Ready for Brexit
Brexit brings up many issues for many companies, both inside and outside the UK, and GDPR is one of these issues – UK companies may now need an EU Representative (and EU companies may need a UK Representative) to be compliant. GDPR has been a fact of life in business for over a year now – and GDPR’s extra-territorial effect means that it isn’t just businesses in the EU that need to comply.
The UK has taken an incongruously pro-EU approach to GDPR, having already incorporated it in its entirety into UK law (the Data Protection Act 2018). The effect is that, even in the event of a sudden, no-deal Brexit, companies in the UK will continue to be required to meet GDPR-level standards in their personal data processing.
However, the issue for a UK business which trades with the EU will be that, where they have done so previously as equals under the EU GDPR, the UK would now be operating as a ‘third country’ for the purposes of GDPR, which changes a couple of aspects of this international trade. The two prime areas that will be affected are cross-border transfers of data (which is a complicated subject on its own) and the need to appoint an EU Representative as a result of Article 27 of GDPR, which only affects companies outside the EU. If a withdrawal deal is agreed this will still be the case, but it’s likely to push back the need to appoint a Representative until the end of the proposed transition period (end of 2020).
The role of the EU Representative under Article 27 of GDPR
Essentially, the EU Representative is required by any company that sells to, or monitors, individuals in the EU, but has no establishment (office, factory, etc.) in the Union. The company appointed to this role acts as the point of establishment in the EU and their main operational role is to act as an EU-based point of contact, to allow EU-based data subjects and Data Protection Authorities to contact the data controller or processor, based outside the Union.
Thought you knew about GDPR, but you’ve never heard of this obligation? Don’t worry, you’re not alone; even those who currently need an EU Representative are often unaware of this fact! Because this is only a requirement for non-EU companies, it isn’t typically discussed within the EU; I nicknamed it ‘the hidden obligation’ in 2017, and that remains accurate today. Now, this lack of awareness threatens many companies, who simply won’t be aware that they will be failing to meet this requirement after Brexit.
There are some exclusions, for public sector and companies which only undertake ‘occasional’ EU personal data processing (details of what is considered ‘occasional’ haven’t yet been provided), but it’s best to assume that, if you process the personal data of EU-based individuals and have no EU office, you will need an EU Representative.
Where should the Representative be established? Guidance from the European Data Protection Board (Guidance 03/2018) has confirmed the Representative should be based in the EU country where the most data subjects are – and that data subjects in other EU member states should find the Representative ‘easily accessible’ – so make sure you’re looking for a Representative with locations in relevant countries.
The Representative for companies outside the UK
What about companies in the EU, and elsewhere? This is where it gets really interesting – the UK has passed a law (The Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019) which would alter the UK’s implementation of GDPR to make it ‘UK GDPR.’ In doing so, they have created the additional new role of the UK Representative, required by companies outside the UK which are selling into the UK or monitoring people there. The effect of this? Companies in the EU which sell to the UK and have no UK office will need to appoint a UK Representative… and companies outside both the EU and UK, selling into both, will need to appoint an EU and a UK Representative (or a Representative which has establishments in both).
The full effects of this are summarised in the table below:
Brexit and the EU Representative
The effect of Brexit will be that companies in either the UK or the EU – which have never needed to be concerned about the Article 27 obligation – may suddenly need to add this appointment to their data protection checklist. In fact, many companies around the world will have gone from needing one Representative they didn’t know about, to needing two!
In conclusion, the ‘hidden obligation’ to appoint a Representative under Article 27 of GDPR is coming – be prepared!