What does Brexit mean for your business and Article 27 GDPR compliance?

Brexit is here .. almost

The United Kingdom formally left the European EU on the 31st of January 2020. However, there is still a lot of water to go under the bridge until "brexit" turns into "exit".

Currently, the UK remains in a transition period where the UK continues to follow EU's rules and regulations, and trading remains the same. This transition period provides time for the UK and EU to come up with new agreements before Brexit is finalised and ends on 31st December 2020, or on a different date if agreed by the UK and EU.

31st December 2020 is the important date to remember.

Once the transition period is complete the UK leaves the EU single market and custom union and a different set of rules, regulations and agreements will take force.

There are a number of important consequences of the UK leaving the EU on the role of the GDPR Representative, which will occur at this time. Keep in mind this is still subject to change based on any further agreements made between the UK and EU, but lets take a look at some of the key issues and where things currently stand.

Article 27 compliance for UK Businesses

From January 1st 2021 all businesses that are in the UK and meet the criteria requiring a GDPR representative will need to appoint one.

Of particular interest for UK businesses is the condition in Art 27 requiring a GDPR Representative if a business does not have a "presence" in the EU.

Currently, with the UK being part of the EU single market, UK businesses have a "presence" in the EU. However, from 1st January 2021 when UK businesses move from "in-side" to "out-side" the EU their "presence" within the EU may change.

If your business operates exclusively out of the UK there's a high likelihood you will no longer have an EU "presence" after the exit, and this change may trigger the requirement to appoint an Art 27 GDPR Representative in the EU in order to be compliant with GDPR.

Have a read of our article on What is a GDPR Representative and when do I need one for further information.

UK's Data Protection Act compliance for Non-UK Businesses

Brexit doesn't just affect UK businesses that may now require an Article 27 Representative, it wil also affect Non-UK businesses who have a relationship with the UK, including those in the EU.

As things currently stand, the relevant provisions of the UK’s own Data Protection Act 2018 will come into force on 1 January 2021 mirroring the relevant Article 27 provisions in GDPR regarding a "GDPR representative". This means that a business will need a new "UK representative" if:

  • the business is subject to the UK’s Data Protection Act; and
  • the business does not have a "presence" in the UK; and
  • (the business is processing of "personal data" (as defined under the UK’s Data Protection Act) is not "occasional".

Public bodies who are subject to the UK’s Data Protection Act will not need to appoint a "UK representative".

Use of existing Article 27 GDPR Representatives based in UK

One of the requirements for GDPR Representatives is to be based in the EU. Under the existing arrangements this means a Representative in the UK can represent their clients throughout the EU.

From 1st January 2021 this will no longer be possible. A Representative must be based somewhere else in the EU, and not the UK, in order to provide Representative services. Businesses currently utilising a GPPR Representative in the UK should discuss their plans and ongoing suitability for continued Representation after the exit date.

Summary

Brexit is currently set to be finalised on 30th December 2020, unless a new date is agreed by the UK and EU. When the exit is completed a number of things related to privacy compliance will change for businesses all around the world.

If you are a business from the UK

  • You may need a GDPR Representative for Article 27 compliance before 1st Januaary 2021.
  • We have a Brexit program UK businesses can sign up to, which lets you prepare now but won't activate fees until the exit date occurs.

If you are a business from the EU (excluding the UK)

  • You may need to appoint a UK Representative for DPA compliance before 1st January 2021.
  • Check back with us later, or drop us a line via the contact page if you are interested in this service. We will implement a UK Representative service as the date approaches and certainty on the UK governments position increases.

If you are a business from the rest of the world (excluding the UK and EU)

  • You may need to appoint an Art 27 GDPR Representative in the EU now to increase your GDPR compliance. If you need additional information have a read of the article What is a GDPR Representative and when do I need one .
  • If you have already appointed a GDPR Representative who is based in the UK you should discuss with them how they can continue to Represent you from 1st January 2021 or look to find a new Representative not based in the UK.
  • You may need to appoint a UK Representative for DPA compliance before 1st January 2021. We will be developing a plan discount to make sure existing GDPR Representative customers will be able to register for UK as well.
  • If you're ready to appoint a GDPR Representative, and think we can help, your welcome to try our 30 day free trial. Representative plans start from only €19 per month, see below for details.

Can we help you be compliant?

If your business requires an Art 27 GDPR Representative, select the plan that fits your business size to start your 30 day free trial.

30 day free trial

Access to all features

No credit card required to trial

No obligation to continue after your free trial

Flat monthly fees, no hidden costs or long term subscriptions

OWNER

19 /month

Owner, with no employees

  • Art 27 GDPR Representative for all EU Member States
  • Unlimited data subject access requests (DSAR)
  • Website Certificate
  • GDPR Compliant
  • Customer Care Portal Logo
Try for Free
MICRO

35 /month

1 to 10 employees

  • Art 27 GDPR Representative for all EU Member States
  • Unlimited data subject access requests (DSAR)
  • Website Certificate
  • GDPR Compliant
  • Customer Care Portal Logo
  • PDF Certificate
Try for free
SMALL

69 /month

11 to 50 employees

  • Art 27 GDPR Representative for all EU Member States
  • Unlimited data subject access requests (DSAR)
  • Website Certificate
  • GDPR Compliant
  • Customer Care Portal Logo
  • PDF Certificate
  • Notifications, escalations & reporting
Try for free
MEDIUM

175 /month

51 to 250 employees

  • Art 27 GDPR Representative for all EU Member States
  • Unlimited data subject access requests (DSAR)
  • Website Certificate
  • GDPR Compliant
  • Customer Care Portal Logo
  • PDF Certificate
  • Notifications, escalations & reporting
  • Customer Care Portal Branding, Audit Logging & Pre-response approval
Try for free
LARGE

590 /month

over 250 employees

  • Art 27 GDPR Representative for all EU Member States
  • Unlimited data subject access requests (DSAR)
  • Website Certificate
  • GDPR Compliant
  • Customer Care Portal Logo
  • PDF Certificate
  • Notifications, escalations & reporting
  • Customer Care Portal Branding, Audit Logging & Pre-response approval
Try for free