With the Brexit transition period coming to an end there are a number of important considerations for companies in the United Kingdom to review in relation to the appointment of a General Data Protection Regulation (GDPR) representative who will be responsible for the processing of the private data of European Union citizens.
Once the transition period comes to close on January 1 2021, the UK will be referred to as a ‘third country’ by GDPR and, if the UK is not given adequacy status under GDPR, firms which would like to move EU personal data to the UK would need to see to it that a GDPR-compliant process is implemented. Adequacy status means that the UK’s privacy protections are almost 100% in line with those of the EU. This may be difficult to achieve though as the UK government is planning to retain some surveillance powers.
There will also be a GDPR representative obligation that means UK companies must appoint an EU representative. As per GDPR Article 27, a company which is governed by GDPR must appoint an EU-located Representative if it has no office located within the EU. So the basic requirement will be that UK companies which have an EU-located office can simply appoint a GDPR Officer while UK companies that do not have an EU-based office must designate a GDPR Representative. The requirement under this article does not apply to public authorities or to controllers/processors whose processing is only occasional, low risk, and does not involve special category or criminal offence data on a large scale.
This representative must be:
- Based in a European Union Member State where the data controller/processor that they are representing has the greatest amount of data subjects.
- Available to data subjects located in other EU member states. Due to this there may be a requirement to appoint a Representative with locations in many countries or, alternatively a range separate national/regional Representatives.
- A different individual to the company appointed as DPO in the case that an external DPO appointment has been made.
Additionally, EU-based firms that do not have UK offices will be in a position where that have to appoint a UK Representative appointment so that they can go on doing business in the UK. Additionally, companies that are based outside of both the UK and the EU and do business in both jurisdictions will no be in a position where that must appoint a EU Representative and a UK Representative.
So all companies that are doing business in either the UK or EU, or both, must move quickly to appoint the relevant personnel to ensure that that will not be subjected to any actions in relation to breaching data privacy legal requirements. If you are unsure of what you must do the best move would be to contact a team of experts at your earliest possible opportunity.