What does Brexit mean for your business and Article 27 GDPR compliance?

  1. Home
  2. Knowledge Base
  3. Brexit and Article 27 GDPR Compliance

Brexit is here .. almost

The United Kingdom formally left the European EU on the 31st of January 2020. However, there is still a lot of water to go under the bridge until "brexit" turns into "exit".

Currently, the UK remains in a transition period where the UK continues to follow EU's rules and regulations, and trading remains the same. This transition period provides time for the UK and EU to come up with new agreements before Brexit is finalised and ends on 31st December 2020, or on a different date if agreed by the UK and EU.

31st December 2020 is the important date to remember.

Once the transition period is complete the UK leaves the EU single market and custom union and a different set of rules, regulations and agreements will take force.

There are a number of important consequences of the UK leaving the EU on the role of the GDPR Representative, which will occur at this time. Keep in mind this is still subject to change based on any further agreements made between the UK and EU, but lets take a look at some of the key issues and where things currently stand.

Article 27 compliance for UK Businesses

From January 1st 2021 all businesses that are in the UK and meet the criteria requiring a GDPR representative will need to appoint one.

Of particular interest for UK businesses is the condition in Art 27 requiring a GDPR Representative if a business does not have a "presence" in the EU.

Currently, with the UK being part of the EU single market, UK businesses have a "presence" in the EU. However, from 1st January 2021 when UK businesses move from "in-side" to "out-side" the EU their "presence" within the EU may change.

If your business operates exclusively out of the UK there's a high likelihood you will no longer have an EU "presence" after the exit, and this change may trigger the requirement to appoint an Art 27 GDPR Representative in the EU in order to be compliant with GDPR.

Have a read of our article on What is a GDPR Representative and when do I need one for further information.

UK's Data Protection Act compliance for Non-UK Businesses

Brexit doesn't just affect UK businesses that may now require an Article 27 Representative, it wil also affect Non-UK businesses who have a relationship with the UK, including those in the EU.

As things currently stand, the relevant provisions of the UK’s own Data Protection Act 2018 will come into force on 1 January 2021 mirroring the relevant Article 27 provisions in GDPR regarding a "GDPR representative". This means that a business will need a new "UK representative" if:

  • the business is subject to the UK’s Data Protection Act; and
  • the business does not have a "presence" in the UK; and
  • (the business is processing of "personal data" (as defined under the UK’s Data Protection Act) is not "occasional".

Public bodies who are subject to the UK’s Data Protection Act will not need to appoint a "UK representative".

Use of existing Article 27 GDPR Representatives based in UK

One of the requirements for GDPR Representatives is to be based in the EU. Under the existing arrangements this means a Representative in the UK can represent their clients throughout the EU.

From 1st January 2021 this will no longer be possible. A Representative must be based somewhere else in the EU, and not the UK, in order to provide Representative services. Businesses currently utilising a GPPR Representative in the UK should discuss their plans and ongoing suitability for continued Representation after the exit date.

Summary

Brexit is currently set to be finalised on 30th December 2020, unless a new date is agreed by the UK and EU. When the exit is completed a number of things related to privacy compliance will change for businesses all around the world.

If you are a business from the UK

  • You may need a GDPR Representative for Article 27 compliance before 1st Januaary 2021.
  • We have a Brexit program UK businesses can sign up to, which lets you prepare now but won't activate fees until the exit date occurs.

If you are a business from the EU (excluding the UK)

  • You may need to appoint a UK Representative for DPA compliance before 1st January 2021.
  • Check back with us later, or drop us a line via the contact page if you are interested in this service. We will implement a UK Representative service as the date approaches and certainty on the UK governments position increases.

If you are a business from the rest of the world (excluding the UK and EU)

  • You may need to appoint an Art 27 GDPR Representative in the EU now to increase your GDPR compliance. If you need additional information have a read of the article What is a GDPR Representative and when do I need one .
  • If you have already appointed a GDPR Representative who is based in the UK you should discuss with them how they can continue to Represent you from 1st January 2021 or look to find a new Representative not based in the UK.
  • You may need to appoint a UK Representative for DPA compliance before 1st January 2021. We will be developing a plan discount to make sure existing GDPR Representative customers will be able to register for UK as well.
  • If you're ready to appoint a GDPR Representative, and think we can help, your welcome to try our 30 day free trial. Representative plans start from only €19 per month, see below for details.

Let's make you compliant

It is relatively easy to comply with both EU GDPR and UK GDPR representative requirements. By appointing and maintaining both an EU and a UK representative you will be compliant in both jurisdictions.

We are happy to act on your behalf, as your GDPR representative. Our monthly, flat-fee price is based on the size of your business.

Select your business size to appoint us as your GDPR representative in the EU & UK today.

Cookies

We use cookies to ensure that we give you the best experience on our website, to personalise our content and ads, analyse our site traffic and provide social media features. You consent to our cookies if you continue to use our website.
Essential
Analytics
Marketing

Essential cookies assist in making our website usable by providing functions such as navigation or access to secure areas of the site. They also may be used to help comply with legal requirements, such as GDPR. This website cannot function correctly without these cookies.

Name Provider Purpose Expiry Type
XSRF-TOKEN juksta.eu Helps prevent Cross-Site Request Forgery (CSRF) attacks. Session HTTP Cookie
juksta_session juksta.eu Preserves users states across page requests. Session HTTP Cookie
juksta_represent_session juksta.eu Preserves users states across page requests. Session HTTP Cookie
init_cookie_consent juksta.eu Helps manage cookie types preferences. 7300 days HTTP Cookie
cookie_consent juksta.eu Keep user selected cookie types. 7300 days HTTP Cookie
_ga Google Analytics Registers a Unique Identifer, used to generate statistical data on how the visitor uses the website for Google Analytics. 2 years HTTP Cookie
_gid Google Analytics Registers a Unique Identifer, used to generate statistical data on how the visitor uses the website for Google Analytics. 1 day HTTP Cookie
_gat_* Google Analytics Used by Google Analytics to throttle request rates, which means that it limits the collection of data on high traffic sites. 1 day HTTP Cookie

Analytic cookies help owners understand how visitors interact with their sites by collecting and reporting information.

Marketing cookies are used by 3rd parties to track users across websites with the intent to display advertising targeted to the individual user. There are no marketing cookies used by this website.