The United Kingdom formally left the European EU on the 31st of January 2020. However, there is still a lot of water to go under the bridge until "brexit" turns into "exit".
Currently, the UK remains in a transition period where the UK continues to follow EU's rules and regulations, and trading remains the same. This transition period provides time for the UK and EU to come up with new agreements before Brexit is finalised and ends on 31st December 2020, or on a different date if agreed by the UK and EU.
31st December 2020 is the important date to remember.
Once the transition period is complete the UK leaves the EU single market and custom union and a different set of rules, regulations and agreements will take force.
There are a number of important consequences of the UK leaving the EU on the role of the GDPR Representative, which will occur at this time. Keep in mind this is still subject to change based on any further agreements made between the UK and EU, but lets take a look at some of the key issues and where things currently stand.
From January 1st 2021 all businesses that are in the UK and meet the criteria requiring a GDPR representative will need to appoint one.
Of particular interest for UK businesses is the condition in Art 27 requiring a GDPR Representative if a business does not have a "presence" in the EU.
Currently, with the UK being part of the EU single market, UK businesses have a "presence" in the EU. However, from 1st January 2021 when UK businesses move from "in-side" to "out-side" the EU their "presence" within the EU may change.
If your business operates exclusively out of the UK there's a high likelihood you will no longer have an EU "presence" after the exit, and this change may trigger the requirement to appoint an Art 27 GDPR Representative in the EU in order to be compliant with GDPR.
Have a read of our article on What is a GDPR Representative and when do I need one for further information.
Brexit doesn't just affect UK businesses that may now require an Article 27 Representative, it wil also affect Non-UK businesses who have a relationship with the UK, including those in the EU.
As things currently stand, the relevant provisions of the UK’s own Data Protection Act 2018 will come into force on 1 January 2021 mirroring the relevant Article 27 provisions in GDPR regarding a "GDPR representative". This means that a business will need a new "UK representative" if:
Public bodies who are subject to the UK’s Data Protection Act will not need to appoint a "UK representative".
One of the requirements for GDPR Representatives is to be based in the EU. Under the existing arrangements this means a Representative in the UK can represent their clients throughout the EU.
From 1st January 2021 this will no longer be possible. A Representative must be based somewhere else in the EU, and not the UK, in order to provide Representative services. Businesses currently utilising a GPPR Representative in the UK should discuss their plans and ongoing suitability for continued Representation after the exit date.
Brexit is currently set to be finalised on 30th December 2020, unless a new date is agreed by the UK and EU. When the exit is completed a number of things related to privacy compliance will change for businesses all around the world.
If you are a business from the UK
If you are a business from the EU (excluding the UK)
If you are a business from the rest of the world (excluding the UK and EU)
It is relatively easy to comply with both EU GDPR and UK GDPR representative requirements. By appointing and maintaining both an EU and a UK representative you will be compliant in both jurisdictions.
We are happy to act on your behalf, as your GDPR representative. Our monthly, flat-fee price is based on the size of your business.
Select your business size to appoint us as your GDPR representative in the EU & UK today.