Home » What US companies should know about Brexit and the Data Protection Representative

Brexit And The GDPR: Will Your US Business Need Two Data Protection Representatives?

Whilst the GDPR continues to apply to the UK during the Brexit transition period (i.e. until December 31, 2020), the relationship between the GDPR and Brexit beginning in 2021 is still unsettled. The UK is no longer a ‘Member State’ and will be considered as a “third country” for GDPR purposes as from January 1, 2021. As it becomes a third country for the EU, it also becomes a completely autonomous trade centre for the rest of the world. US companies that were doing business with the EU before Brexit will therefore have to look at the UK with a different lens.

One of the main questions regarding GDPR post Brexit is the data protection representative.

Do you have to appoint one? Do you maybe even have to appoint two?

It Depends On Where You Do Business

I do business with the EU/EEA only

Even if you are based in the US, you may need to appoint a GDPR EU Representative if:

• you don’t have an establishment in the EU/EEA
• you offer products or services to individuals who are in the EU or monitor the behaviour of individuals in the EU (such as tracking or profiling)

If you haven’t appointed a GDPR EU representative and you’re not sure if you have to appoint one, take our assessment test to find out!

I do business with the UK only

The Withdrawal Agreement acknowledged by the EU and the UK government stipulates a transition period to last until December 31, 2020. During this period, the UK agreed to continue following EU laws and regulations – including the GDPR – despite the ‘exit’ taking place in January 2021.

As from January 1, 2021, the UK will apply the ‘UK GDPR’. So the key obligations, rights and principles of the EU GDPR will remain the same in the UK.

This means that you may need to appoint a UK GDPR Representative if you are based in the US and if:

• you don’t have an establishment in the UK
• you offer products or services to individuals who are in the UK or you monitor the behaviour of such individuals

The UK’s data protection authority (ICO) confirms that “the UK government intends that after the transition period ends, the UK version of the GDPR will say that a controller or processor located outside the UK – but which must still comply with the UK GDPR – must appoint a UK representative.”

I do business with the UK and the EU/EEA

As from January 1, 2021, the EU GDPR will continue to apply in the EU/EEA. As for the UK, it will apply the ‘UK GDPR’, i.e. a very similar version of the EU GDPR.

This means that you may need to appoint both an EU GDPR representative and a UK GDPR representative if you are based in the US and if:

• you don’t have an establishment in the EU/EEA or in the UK
• you offer products or services to individuals who are in the EU/EEA and the UK or you monitor the behaviour of such individuals

EDPO can act as your EU/EEA GDPR representative AND as your UK GDPR representative.

If you appoint EDPO as your EU/EEA and UK Data Protection Representative before the end of the Brexit transition period, you only have to pay the price of one Representative!