Brexit And The GDPR: Will Your Business Need Two Data Protection Representatives?

Whilst the GDPR continues to apply to the UK during the Brexit transition period (i.e. until 31 December 2020), the relationship between the GDPR and Brexit beginning in 2021 is still unsettled. The UK is no longer a ‘Member State’ and will be considered as a “third country” for GDPR purposes as from 1 January 2021. As it becomes a third country for the EU, it also becomes a completely autonomous trade centre for the rest of the world. Companies that were doing business with the EU before Brexit will therefore have to look at the UK with a different lens.

One of the main questions regarding GDPR post Brexit is the data protection representative. 

Do you have to appoint one? Do you maybe even have to appoint two?

It Depends On Where Your Business is Located and Where You Do Business

I do business with the EU/EEA only

If you are based outside the European Union or the EEA, you may need to appoint an EU GDPR Representative if:

• you don’t have an establishment in the EU/EEA
• you offer products or services to individuals who are in the EU or monitor the behaviour of individuals in the EU (such as tracking or profiling)

If you haven’t appointed a GDPR EU representative and you’re not sure if you have to appoint one, take our assessment test to find out!

I do business with the UK only

The Withdrawal Agreement acknowledged by the EU and the UK government stipulates a transition period to last until 31 December 2020. During this period, the UK agreed to continue following EU laws and regulations – including the GDPR – despite the ‘exit’ taking place in January 2021.

As from 1 January 2021, the UK will apply the ‘UK GDPR’. So the key obligations, rights and principles of the EU GDPR will remain the same in the UK.

If you’re based outside the UK, you may need to appoint a UK GDPR Representative if:

• you don’t have an establishment in the UK
• you offer products or services to individuals who are in the UK or you monitor the behaviour of such individuals (including EU/EEA citizens living within the UK)

The UK’s data protection authority (ICO) confirms that “the UK government intends that after the transition period ends, the UK version of the GDPR will say that a controller or processor located outside the UK – but which must still comply with the UK GDPR – must appoint a UK representative.”

I do business with the UK and the EU/EEA

As from 1 January 2021, the EU GDPR will continue to apply in the EU/EEA. As for the UK, it will apply the ‘UK GDPR’, i.e. a very similar version of the EU GDPR.

This means that you may need to appoint both an EU GDPR representative and a UK GDPR representative if:

• you don’t have an establishment in the EU/EEA or in the UK
• you offer products or services to individuals who are in the EU/EEA and the UK or you monitor the behaviour of such individuals

EDPO can act as your EU/EEA GDPR representative AND as your GDPR UK representative.

If you appoint EDPO as your EU/EEA and UK Data Protection Representative before the end of the Brexit transition period, you only have to pay the price of one Representative!

If you sign up after the end of the transition period (i.e. after 31 December 2020) and you need both Data Protection Representatives, you will get the second Representative at 50% of the regular cost! 

Want to know more? Contact us! 

Appoint EDPO as your Data Protection Representative!