Home » Common Mistakes about UK GDPR by EU Companies 

ASSUMING THAT SMALL VOLUMES OF UK PERSONAL DATA DON’T FALL UNDER THE UK GDPR

Many EU companies may underestimate the amount of data they collect on UK individuals, especially when it comes to website visitors. Any UK user visiting your website is likely already being tracked through cookies. The same applies if your company offers an online payment service accessible to UK customers.

This means a significant amount of information is being gathered about each visitor—such as browser details, location, and banking information—all of which qualifies as personal data under the UK GDPR if it can be linked to an identifiable individual.

Given the systematic nature of this data collection, it is difficult for an EU company to claim that the volume of personal data collected is minimal or that the collection is merely occasional.

BELIEVING THAT THE UK GDPR DOES NOT APPLY TO B2B BUSINESS

If you process personal data of individuals located in the UK, whether directly or indirectly, you fall under the scope of the UK GDPR. This means that even if the data you handle consists only of names, professional emails, business phone numbers, or IP addresses, compliance with the UK GDPR is required.

You are only exempt from the UK GDPR if the data you process clearly—and exclusively—relates to a business entity, such as the company name, business address, or general email addresses like “info@” or “support@”.

THINKING THAT YOUR COMPANY DOESN’T HAVE TO APPOINT A DATA PROTECTION REPRESENTATIVE BECAUSE THE UK WAS GRANTED AN ADEQUACY DECISION

Although the European Commission has granted the UK an Adequacy Decision – which means the EU confers the UK an “adequate level of protection”, allowing data transfers from the EU to the UK – EU companies must still comply with all of the other obligations under the UK GDPR, such as the obligation to appoint a UK Representative (Article 27 of the UK GDPR). Compliance with obligations such as these should have been ensured since Brexit took effect on 1 January 2021.

If you haven’t heard about the obligation for EU companies to appoint a UK GDPR Representative, it’s probably because almost everything that’s been written or discussed around the UK GDPR has been focused on the data flows between the EU and the UK.
Appointing a data protection representative is a major compliance obligation under the UK GDPR.
Therefore, if your business (1) is located outside the UK and has no establishments in the UK, and (2) offers goods or services to individuals in the UK or monitors the behaviour of individuals within the UK, then you must appoint a UK representative.*

The UK Representative must be located in the United Kingdom and acts as a point of contact for individuals in the UK and the UK Data Protection Authority (ICO). Additionally, the Representative can assist and support your company in the handling of data breach notifications to the ICO.

In the event of non-compliance with appointing a UK Representative, companies face administrative fines of up to the equivalent of 8.7 million GBP or up to 2% of the company’s annual worldwide turnover. The ICO can also temporarily or permanently restrict processing and suspend data flows.
*Unless the cumulative exceptions of Article 27 (2) apply.