info@edpo.com

Take our free Assessment Test
Request a Free Quote

What non-EU and non-UK companies should know about Brexit and the Data Protection Representative

By Jane Murphy
Published Date Icon November 9, 2020
Category Icon International Compliance

Brexit And The GDPR: Will Your Business Need Two Data Protection Representatives?

Whilst the GDPR continues to apply to the UK during the Brexit transition period (i.e. until 31 December 2020), the relationship between the GDPR and Brexit beginning in 2021 is still unsettled. The UK is no longer a ‘Member State’ and will be considered as a “third country” for GDPR purposes as from 1 January 2021. As it becomes a third country for the EU, it also becomes a completely autonomous trade centre for the rest of the world. Companies that were doing business with the EU before Brexit will therefore have to look at the UK with a different lens.

One of the main questions regarding GDPR post Brexit is the data protection representative. 

Do you have to appoint one? Do you maybe even have to appoint two?

It Depends On Where Your Business is Located and Where You Do Business

 

I do business with the EU/EEA only

If you are based outside the European Union or the EEA, you may need to appoint an EU GDPR Representative if:

  • you don’t have an establishment in the EU/EEA
  • you offer products or services to individuals who are in the EU or monitor the behaviour of individuals in the EU (such as tracking or profiling)

If you haven’t appointed a GDPR EU representative and you’re not sure if you have to appoint one, take our assessment test to find out!

 

I do business with the UK only

 

The Withdrawal Agreement acknowledged by the EU and the UK government stipulates a transition period to last until 31 December 2020. During this period, the UK agreed to continue following EU laws and regulations – including the GDPR – despite the ‘exit’ taking place in January 2021.

As from 1 January 2021, the UK will apply the ‘UK GDPR’. So the key obligations, rights and principles of the EU GDPR will remain the same in the UK.

If you’re based outside the UK, you may need to appoint a UK GDPR Representative if:

  • you don’t have an establishment in the UK
  • you offer products or services to individuals who are in the UK or you monitor the behaviour of such individuals (including EU/EEA citizens living within the UK)

The UK’s data protection authority (ICO) confirms that “the UK government intends that after the transition period ends, the UK version of the GDPR will say that a controller or processor located outside the UK – but which must still comply with the UK GDPR – must appoint a UK representative.”

 

I do business with the UK and the EU/EEA

 

As from 1 January 2021, the EU GDPR will continue to apply in the EU/EEA. As for the UK, it will apply the ‘UK GDPR’, i.e. a very similar version of the EU GDPR.

This means that you may need to appoint both an EU GDPR representative and a UK GDPR representative if:

  • you don’t have an establishment in the EU/EEA or in the UK
  • you offer products or services to individuals who are in the EU/EEA and the UK or you monitor the behaviour of such individuals

EDPO can act as your EU/EEA GDPR representative AND as your GDPR UK representative.

If you appoint EDPO as your EU/EEA and UK Data Protection Representative before the end of the Brexit transition period, you only have to pay the price of one Representative!

If you sign up after the end of the transition period (i.e. after 31 December 2020) and you need both Data Protection Representatives, you will get the second Representative at 50% of the regular cost! 

Want to know more? Contact us! 

Appoint EDPO as your Data Protection Representative!

Brexit Data Protection Representative EU GDPR International UK

About the author

Jane Murphy

Jane Murphy is a Belgian-Canadian lawyer specialising in data protection, corporate law, and EU regulations. She holds law degrees from Canada and Belgium, an LL.M. in EU and International Law, a Data Protection Certificate, and completed an International Business summer programme at Harvard, and an “AI:Implications for Business Strategy » executive program at MIT. Jane also has 15+ years of board experience across Europe and Asia and currently chairs Oracle Financial Services Software (OFSS) in Mumbai.

LinkedIn Email
Jane Murphy

The General Data Protection Regulation (GDPR) continues to apply to many US companies in 2025, even if they do not have a physical presence in the European Union. Despite years of guidance and enforcement, the same misunderstandings keep reappearing. Here are five of the most common GDPR mistakes US companies make — and how to avoid them.

Mistake 1 – Confusing the Data Protection Officer (DPO) with the EU GDPR Representative

An EU GDPR Representative is a local contact point for data protection authorities and individuals in the EU. Non-EU companies that are subject to the GDPR must appoint a representative to ensure smooth communication and compliance.

A Data Protection Officer (DPO) is responsible for overseeing a company’s internal data protection strategy and ensuring compliance with the GDPR. The DPO monitors data processing, conducts audits, and trains staff.

The DPO works inside the organisation, while the GDPR Representative is based in the EU and acts as an external contact point. Many US companies confuse the two roles, but under the GDPR, they are separate obligations and sometimes both are required.

Mistake 2 – Misunderstanding the extraterritorial scope of the GDPR

The GDPR applies to non-EU companies if they offer goods or services to individuals in the EU or monitor their behaviour online. This applies regardless of where the company is located.

Selling products to EU customers, operating an EU-facing website in EU languages, accepting payments in euros, or tracking EU visitors with cookies or analytics tools can all trigger GDPR obligations.

Mistake 3 – Incorrectly relying on the Privacy Shield (now EU-US Data Privacy Framework)

The Privacy Shield was an agreement that allowed certified US companies to transfer personal data from the EU to the US. In 2020, it was invalidated by the Court of Justice of the European Union in the Schrems II decision.

In 2023, the EU-US Data Privacy Framework (DPF) replaced the Privacy Shield. While participation in the DPF can help facilitate transatlantic data transfers, it does not exempt companies from GDPR compliance.

US companies must ensure that data transfers are lawful under the GDPR. This may involve joining the DPF, using Standard Contractual Clauses (SCCs), or implementing other approved safeguards.

Mistake 4 – Incomplete or unclear privacy policies

The GDPR requires privacy policies to be clear, accessible and transparent. They must explain what personal data is collected, how it is used, the legal basis for processing, and the rights of data subjects.

Many US companies omit details such as data retention periods, contact information for the EU Representative, or instructions on how to exercise data subject rights. 

Mistake 5 – Underestimating GDPR fines and enforcement

Data protection authorities have issued fines to companies of all sizes, including non-EU businesses. In 2025, penalties for non-compliance remain high — up to €20 million or 4% of annual global turnover, whichever is higher.

Regular compliance reviews Data Protection Impact Assessments (DPIAs), staff training, and appointing an EU GDPR Representative can help mitigate risks.

How EDPO can help your business stay GDPR compliant

EDPO acts as your official EU GDPR Representative, ensuring compliance with Article 27 of the GDPR and facilitating communication with EU authorities.

For companies targeting the UK market, EDPO also offers UK GDPR Representative services to ensure compliance with the UK’s data protection regime.

Follow us on Linkedin for daily breaking GDPR news!

The General Data Protection Regulation (GDPR) continues to apply to many US companies in 2025, even if they do not have a physical presence in the European Union. Despite years of guidance and enforcement, the same misunderstandings keep reappearing. Here are five of the most common GDPR mistakes US companies make — and how to avoid them.

Mistake 1 – Confusing the Data Protection Officer (DPO) with the EU GDPR Representative

An EU GDPR Representative is a local contact point for data protection authorities and individuals in the EU. Non-EU companies that are subject to the GDPR must appoint a representative to ensure smooth communication and compliance.

A Data Protection Officer (DPO) is responsible for overseeing a company’s internal data protection strategy and ensuring compliance with the GDPR. The DPO monitors data processing, conducts audits, and trains staff.

The DPO works inside the organisation, while the GDPR Representative is based in the EU and acts as an external contact point. Many US companies confuse the two roles, but under the GDPR, they are separate obligations and sometimes both are required.

Mistake 2 – Misunderstanding the extraterritorial scope of the GDPR

The GDPR applies to non-EU companies if they offer goods or services to individuals in the EU or monitor their behaviour online. This applies regardless of where the company is located.

Selling products to EU customers, operating an EU-facing website in EU languages, accepting payments in euros, or tracking EU visitors with cookies or analytics tools can all trigger GDPR obligations.

Mistake 3 – Incorrectly relying on the Privacy Shield (now EU-US Data Privacy Framework)

The Privacy Shield was an agreement that allowed certified US companies to transfer personal data from the EU to the US. In 2020, it was invalidated by the Court of Justice of the European Union in the Schrems II decision.

In 2023, the EU-US Data Privacy Framework (DPF) replaced the Privacy Shield. While participation in the DPF can help facilitate transatlantic data transfers, it does not exempt companies from GDPR compliance.

US companies must ensure that data transfers are lawful under the GDPR. This may involve joining the DPF, using Standard Contractual Clauses (SCCs), or implementing other approved safeguards.

Mistake 4 – Incomplete or unclear privacy policies

The GDPR requires privacy policies to be clear, accessible and transparent. They must explain what personal data is collected, how it is used, the legal basis for processing, and the rights of data subjects.

Many US companies omit details such as data retention periods, contact information for the EU Representative, or instructions on how to exercise data subject rights. 

Mistake 5 – Underestimating GDPR fines and enforcement

Data protection authorities have issued fines to companies of all sizes, including non-EU businesses. In 2025, penalties for non-compliance remain high — up to €20 million or 4% of annual global turnover, whichever is higher.

Regular compliance reviews Data Protection Impact Assessments (DPIAs), staff training, and appointing an EU GDPR Representative can help mitigate risks.

How EDPO can help your business stay GDPR compliant

EDPO acts as your official EU GDPR Representative, ensuring compliance with Article 27 of the GDPR and facilitating communication with EU authorities.

For companies targeting the UK market, EDPO also offers UK GDPR Representative services to ensure compliance with the UK’s data protection regime.

Get our weekly newsletter in your inbox every Monday with fresh GDPR and Data Protection news!