OUR UK REPRESENTATIVE SERVICES
What is the impact of Brexit for your company?
Are you compliant since Brexit?
What do you need to do?
The United Kingdom now applies the UK GDPR, with similar obligations, rights and principles as the EU GDPR. Since 1st January 2021 (Brexit), non-UK companies also have to comply with certain obligations of the UK GDPR. Depending on where your company is located and where you do business, you may need to appoint one or even two Data Protection Representatives.
I am a UK company
I am an EU/EEA company
I am a company located outside the EU/EEA or the UK
I am a UK company
Since 1 January 2021, you most likely have to appoint an EU GDPR representative if:
- you don’t have an establishment in the EU/EEA
- you offer products or services to individuals who are in the EU/EEA or if you monitor the behaviour of such individuals (including UK citizens living within the EU/EEA)
Take our quick assessment test to find out if you need to appoint a GDPR EU representative!
Find out more about our EU Representative services and about our fees.
I am an EU/EEA company
Since 1 January 2021, the UK applies the ‘UK GDPR’. So the key obligations, rights and principles of the EU GDPR remain the same in the UK.
Even if you’re based in the EU, this means that you may need to appoint a UK GDPR Representative if:
- you don’t have an establishment in the UK
- you offer products or services to individuals who are in the UK or you monitor the behaviour of such individuals (including EU/EEA citizens living within the UK)
The UK’s data protection authority (ICO) confirms that you need to comply with the UK GDPR regarding this processing. “As you will not have a base inside the UK after the transition period ends, the UK GDPR will require you to appoint a representative in the UK.”
EDPO’s UK sister company (EDPO UK LTD) can act as your UK GDPR Representative.
Find out more about our UK Representative services and about our fees.
I do business with EU/EEA only
Even if you are based outside the European Union or the EEA, you may need to appoint a GDPR Representative if:
- you don’t have an establishment in the EU/EEA
- you offer products or services to individuals who are in the EU or monitor the behaviour of individuals in the EU (such as tracking or profiling)
If you haven’t appointed a GDPR EU/EEA representative and you’re not sure if you have to appoint one, take our assessment test to find out if you have to appoint one.
If you know that you need one, appoint EDPO now as your GDPR EU/EEA Representative!
I do business with the UK only
Since 1 January 2021, the UK applies the ‘UK GDPR’. So the key obligations, rights and principles of the EU GDPR remain the same in the UK.
Even if you are based outside the UK, you may need to appoint a UK GDPR Representative if:
- you don’t have an establishment in the UK
- you offer products or services to individuals who are in the UK or you monitor the behaviour of such individuals (including EU/EEA citizens living within the UK).
EDPO’s UK sister company (EDPO UK LTD) can act as your UK GDPR Representative.
I do business with the EU/EEA and the UK
Since 1 January 2021, the EU GDPR continues to apply in the EU/EEA. As for the UK, it now applies the ‘UK GDPR’, so the key obligations, rights and principles of the EU GDPR will remain the same in the UK.
This means that you may need to appoint both an EU GDPR representative and a UK GDPR representative if:
- you don’t have an establishment in the EU/EEA or in the UK
- you offer products or services to individuals who are in the EU/EEA and the UK or you monitor the behaviour of such individuals
EDPO can act as your EU/EEA GDPR representative AND as your GDPR UK representative.
Your obligations in a nutshell
We provide a full range of high-quality representation services
Representation services in the UK
Data Subject Access Requests (DSARs)
Requests from the Data Protection Authority (ICO)
Representation services in the UK
We act as your Data Protection Representative in your name and on your behalf in the United Kingdom. Our office is located in London, at 8 Northumberland Avenue, London WC2N 5BY.
Data Subject Access Requests (DSARs)
We handle an unlimited number of DSARs across the UK. By “handling”, we mean that we receive requests, perform identity checks (if you instruct us to do so), forward the requests to you, answer your questions as to best practices on how to respond to the requests and reply to the data subjects on your behalf, unless you choose to answer yourself. We aren’t just a mailbox or message forwarding service.
Requests from the Data Protection Authority (ICO)
We handle an unlimited number of requests from the Data Protection Authority (ICO) in the UK. We understand that it can be quite daunting for companies to be contacted by a data protection authority. That’s why our team handles such requests with great care and diligence.
Data Breach Notification Support
Compliance certificate
Top-level security storage of your Record of processing activities
Data Breach Notification Support
We assist and support you in the handling of an unlimited number of data breach notifications in the UK. We understand that the process can sometimes be very challenging, especially given the tight 72-hour deadline to notify the data breach.
IMPORTANT NOTICE IN CASE OF DATE BREACH: Our contract will not automatically terminate in the event that you experience a data breach. We support you all the time and all the way.
Compliance Certificate
We provide you with a Compliance Certificate based on data protection technology through a unique high-level encryption / decryption process (including Blockchain technology) which can be used on your website and on your company material.
Top-level security storage of your Record of processing activities
Your record of processing activities is kept on a highly secure platform that is certified with the latest and most comprehensive in-depth security certification – ISO/IEC 27001:2013 – which covers its entire business, people, processes, procedures and platform. You don’t have record of processing activities? We’ll be more than happy to provide you with referrals of templates and/or experts who can help you create your ROPA.
Dedicated client support
Privacy Policy/Documentation Wording
Our fees
Our UK GDPR representative fees are based on the size of your company (in terms of number of employees), the type of data (regular data and/or sensitive data) that your company processes, whether or not your company’s processing operations require regular and systematic monitoring of individuals in the UK and whether your company processes personal data on a large scale.
All packages can be tailored to your company’s specific needs.
Our fees include the following services :
- The handling of an unlimited number of requests from individuals (data subjects) in the UK
- The handling of an unlimited number of requests from the UK Data protection authority (ICO)
- The storage of a copy of your Record of processing activities on a plartform which has the highest and most in-depth security certification (ISO27001)
- Assistance with the handling of an unlimited number of data breach notifications
- The right to use EDPO UK’s contact details and logo on your website and on other company material
- The right to use the EDPO UK Compliance Certificate which is based on Blockchain technology
- Alerts on relevant data protection-related news and developments regarding your company’s compliance with the UK GDPR.
Our fees are all-inclusive. No hidden costs. No surprises.
Here is an indicative list of our UK Representative fees*:
* Fees are payable in up-front annual payments
Special Offer
Also appoint EPDO as your EU Representative and get a reduction of 20% off the UK Representative price!
Small Companies
£83 / Month*
Less than 50 employees
- No large scale processing of UK personal data
Medium Companies
£155 / Month*
- Between 51 and 250 employees
- No large scale processing of UK personal data
Large Companies
£260 / Month*
Between 251 and 500 employees
No large scale processing of UK personal data
Very Large / Special Categories
- More than 500 employees
- Large scale processing of UK personal data
- Financial institutions
- Other complex processing activities
Additional fees may apply in case of processing of sensitive data.
*The fees are payable in upfront annual payments.
Small Compagnies
£83 / Month*
- Less than 50 employees
- No processing of sensitive data
- No large scale processing of EU personal data
Medium Compagnies
£155 / Month*
- Between 51 and 250 employees
- No processing of sensitive data
- No large scale processing of EU personal data
Large Companies
£260 / Month*
- Between 251 and 500 employees
- No processing of sensitive data
- No large scale processing of EU personal data
Very Large / Special Categories
- More than 500 employees and/or
- Processing of sensitive data and/or
- Large scale processing of UK personal data and/or
- Financial institutions and/or
- Other complex processing activities
Additional fees may apply in case of processing of sensitive data.
*The fees are payable in upfront annual payments.
Checklist for the appointment of your EU & UK Data Protection Representative
EDPO UK
8 Northumberland Avenue
London WC2N 5BY
info@edpo.com
What is personal data ?
Personal data under the GDPR has a very broad interpretation and includes any information that relates to an identified or identifiable natural person: name, pictures, addresses, phone numbers, e-mail addresses, IP addresses (even dynamic), identification numbers, location data, age, origins, pseudo, etc.
What is sensitive data ?
Sensitive data is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation.
What is considered to be processing “on a large scale”?
The GDPR does not define what constitutes “large scale” processing but guidelines on the interpretation of the GDPR recommend that the following factors be considered when determining whether the processing is carried out on a large scale :
-the number of individuals concerned – either as a specific number or as a proportion of the relevant population
-the volume of data and/or the range of different data items being processed
-the duration, or permanence, of the data processing activity
-the geographical extent of the processing activity
Examples of large-scale processing include :
-processing of patient data in the regular course of business by a hospital
-processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
-processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
-processing of customer data in the regular course of business by an insurance company or a bank
-processing of personal data for behavioural advertising by a search engine
-processing of data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include :
-processing of patient data by an individual doctor
-processing of personal data relating to criminal convictions and offences by an individual lawyer