Brexit has resulted in some confusion over the resulting data protection requirements to adhere to. EU data protection no longer applies in the UK. That means many UK organisations will now need to appoint an EU data protection representative. At the same time, many EU-based companies must now appoint a UK data protection representative. How these appointments apply depends upon location; if an organisation does not have a UK office then it is required to have a UK representative. Today we take a closer look to answer the question: Do I need a UK data protection representative after Brexit?
UK Companies
From 1st January 2021, any UK companies not having an establishment in any EU member states will need an EU Representative if:
- They process the personal data of individuals located in the EU (regardless of their citizenship), for the provision of goods or services
- The company monitors the behaviour of EU data subjects (i.e. targeted ad campaigns on search engines)
If your company provides a variety of services to EU citizens, then it meets the EU data protection representative requirement. These include: financial, business, legal, online retail, marketing and advertising, cloud, transportation, aviation, clinical trials, health and diagnostic services and mobile apps.
Exceptions
The requirement excludes public authorities and bodies. Those companies processing small amounts of data, infrequently, and without touching upon special categories of data, are also an exception. The exceptions are very narrow as the conditions must be met on a cumulative basis.
EU Companies
From 1st January 2021, any EU companies without a UK establishment must appoint a UK representative if:
- They process the personal data of UK-based individuals (regardless of their citizenship), for the provision of goods or services
- They monitor the behaviour of UK data subjects
You meet with the UK data protection representative requirement if you provide services which include: Financial, business, legal, online retail, marketing, advertising, cloud, transportation and aviation, clinical trials, health and diagnostic services and mobile apps.
Exceptions
As with the exceptions highlighted above under the ‘UK Companies’ section. Small, infrequent data processing with no special categories means then you are an exception.
The role of the data protection representatives
The UK representative must act as a local point of contact for data protection and privacy related matters. Within official proceedings, they communicate with the British data protection supervisory authority. When data subjects request the option to exercise their UK data protection rights (i.e. with subject access requests), the representative deals with them. Company privacy policies need to include their contact details plus a written record of the fact they are established in the UK. Representatives keep a copy of the company’s Records of Processing Activities. The British Information Commissioner’s Office obligates them to disclose documentation.
The EU representative is also a local point of contact. They are responsible for liaising with the relevant supervisory bodies and data subjects when required. Their details must be found in privacy policies. They must be established in an EU state for which the company provides goods, services, or monitors data subjects. They too keep the Records of Processing Activities and must then co-operate with the relevant EU supervisory bodies.
Appoint an EU representative and report to a single authority
The European Data Protection Board has stated that organisations doing this only need to report data breaches to a single authority. This is instead of reporting back to up to 43 different EU authorities, and counts even if the breach affects data subjects in all EU countries.
Do I need a UK data protection representative after Brexit? If your organisation meets with the relevant criteria, then yes. Relevance is key, and you must adhere to data protection regulations – for further guidance, contact us.
CRIBB Cyber Security powers theICEway‘s security by design approach to IT. Our data protection experts are qualified in all worldwide legislation. They are already helping clients with UK and EU representation. We are constantly updating our knowledge bases to ensure we can provide the most up-to-date advice. As cyber-crime rates continue to increase, it is essential to have the right security framework in place. You must be aware of what you need to do to be compliant. A call with our experienced team can help.