July 1, 2021
1. ASSUMING THAT SMALL VOLUMES OF UK DATA DON’T FALL UNDER THE UK GDPR
Many EU companies don’t realise how much data they are collecting on UK individuals, particularly in the case of visitors to websites. Any UK visitor who lands on your website is probably already being tracked via cookies. The same goes if your company uses an online payment application that UK individuals have access to.
A wealth of information is therefore collected about that visitor’s browser, location, bank information- all considered to be personal data under the UK GDPR if the information can linked to an identifiable natural person. Because of such a systematic collection of personal data, an EU company can hardly argue that volumes of personal data collected are small, nor can it argue that the collection of personal data is occasional.
2. BELIEVING THAT THE UK GDPR DOES NOT APPLY TO B2B BUSINESS
If you’re processing personal data that enables you to identify an individual in the UK either directly or indirectly, you’ll fall within the scope of the UK GDPR. So even if you’re only processing names, professional e-mails, professional phone numbers or IP addresses, you must be compliant with the UK GDPR.
You will only fall outside the scope of the UK GDPR if the data that you’re processing clearly – and only – relates to a business (for example the company name, the business address or general e-mail addresses such “info@” and “support@”).
3. THINKING THAT YOUR COMPANY DOESN’T HAVE TO APPOINT A DATA PROTECTION REPRESENTATIVE BECAUSE THE UK WAS GRANTED AN ADEQUACY DECISION
Although the European Commission has granted the UK an Adequacy Decision – which means that data transfers from the EU to the UK are considered safe and that personal data can therefore flow freely between the EU and the UK – EU companies must still comply with all of the other obligations under the UK GDPR, such as the obligation to appoint a UK Representative. Compliance regarding these other matters should already have been taken care of since Brexit took effect on 1st January 2021.
If you haven’t heard about the obligation for EU companies to appoint a UK GDPR Representative, it’s probably because almost everything that’s been written or discussed around the UK GDPR has been focused on the data flows between the EU and the UK.
Appointing a data protection representative is a major compliance obligation under the UK GDPR. Therefore, if your business (1) is located outside the UK and has no offices, branches or other establishments in the UK, and (2) offers goods or services to individuals in the UK or monitors the behaviour of individuals within the UK, then you must appoint a UK representative.*
The UK Representative must be located in the United Kingdom and acts as a point of contact for individuals in the UK and the UK Data Protection Authority (ICO). Additionally, the Representative can assist and support your company in the handling of data breach notifications to the ICO.
In the event of non-compliance, companies face administrative fines of up to the equivalent of 10,000,000 EUR or up to 2% of the company’s annual worldwide turnover. The ICO can also temporarily or permanently restrict processing and suspend data flows.
*Unless the cumulative exceptions of Article 27 (2) apply.
There’s a lot of information out there about what the UK GDPR is and how it operates. There have been many developments since we first heard about Brexit, and it’s best to keep an eye out for future changes or updates. EU companies are already familiar with the EU GDPR, but overlooking the obligations of the UK GDPR is still very common amongst businesses.
Need any help trying to avoid these common mistakes? EDPO UK Ltd enables EU companies to continue to have access to the UK market by correcting these mistakes and protecting data privacy.
Follow us on social media