The run-up to Brexit has seen increased discussion in the UK about the need for an EU representative under the GDPR (General Data Protection Regulation).
Organisations must appoint an EU representative if they are based outside the EU and monitor the behaviour of, or provide goods or services to, EU residents.
This requirement fell under the radar at the time the GDPR took effect, because it would only apply in the UK after Brexit.
Already swamped with compliance requirements, organisations focused on their immediate priorities and left their EU representative requirements until a later date.
That date has now come. The UK is set to leave the EU at the end of 2020 and, as soon as it does, organisations based in the country are legally required to have an EU representative.
What does an EU representative do?
As the title suggests, EU representatives must be established in the EU and work on behalf of non-EU-based organisations.
In the case of UK organisations, this will primarily involve serving as the point of contact between the organisation, the ICO (Information Commissioner’s Office) and data subjects.
They’ll do this by:
- Responding to any queries the ICO or data subjects have concerning data processing;
- Maintaining records of the organisation’s data processing activities; and
- Making data processing records accessible to the ICO.
What’s the difference between an EU representative and a DPO?
The tasks of an EU representative sound a lot like those of a DPO (data protection officer), but don’t confuse the two.
An EU representative is tasked with representing non-EU based organisations when it comes to their GDPR requirements. In other words, they are a function of the organisation’s GDPR compliance practices.
By contrast, a DPO is an independent expert who helps facilitate and assess the organisation’s compliance practices. They are responsible for monitoring compliance and advising organisations on how to navigate their requirements.
Do all UK organisations need an EU representative?
UK organisations only need to appoint an EU representative if they monitor or provide goods or services to EU residents.
If you deal exclusively with UK-based customers, you won’t be required to appoint an EU representative. That’s because as soon as the UK is no longer in the EU, your customers will cease to be EU residents.
However, if your data processing or monitoring extends to other EU member states, you’ll probably be required to appoint an EU representative. There are two exemptions:
- Organisations that have an office and employees based in the EU.
- Organisations whose processing activity is occasional, doesn’t include large-scale processing of special categories of data and is unlikely to result in a risk to the rights and freedoms of natural persons (see Article 27 of the GDPR for more information).
Selecting your EU representative
Your EU representative can be any natural or legal person who’s based in an EU member state within which you collect personal data.
If you only collect information from data subjects in, say, France, your EU representative must be based in France. However, if you collect personal data from the entirety of the EU, you can appoint a representative in any EU member state.
When you have multiple countries to choose from, it’s best to select the one in which you collect the most data or conduct the most extensive monitoring.
Appoint your EU representative before Brexit
You can find an EU representative quickly and easily with the help of our sister company GRCI Law.
Led by a team of lawyers, barristers, and information and cyber security experts, GRCI Law can take the strain of GDPR compliance, acting as your EU representative for personal data processing activities.
A no-deal Brexit action plan
Appointing an EU representative isn’t the only thing your organisation must do to prepare for Brexit. With the UK looking increasingly likely to leave the EU without a formal agreement, there will be an instant turnaround in your organisation’s relationship with European customers and partners.
As such, you’ll no longer be able to handle and share information with them based on EU laws. So what should you do instead?
Find out by downloading No-deal Brexit: a data protection action plan.
This short guide summarises what a no-deal Brexit will mean for data protection in the UK and outlines a simple five-step action plan to prepare for no-deal data processing.
- The post-Brexit challenges that UK organisations will face;
- How a no-deal Brexit will affect UK data protection law;
- Guidance for handling transfers of personal data to and from the UK; and
- A five-step action plan to prepare for no-deal data processing.
A version of this blog was originally published on 21 March 2019.