The 31^st December 2020 at 11pm signified the UK’s official departure from the EU single market after 48years. Though a deal may have been struck, it is by no means finalised. Many issues still need ironing out and one such factor is how to deal with data transfers between the UK and the EU going forward. For now, there is a further transition period of up to six months, which at least leaves some breathing space for those businesses that may not have put measures in place as yet. But in any case, the big question, for many, still remains as to what impact Brexit will have on the GDPR. How will it change how data is held and processed by any individual company in the UK?

In this article, we discuss potential regulations UK companies may be required to implement in relation to the GDPR and what is the difference between EU Representation and UK representation.

What is the UK GDPR?

The UK GDPR is a piece of UK national legislation that is designed to replace the EU’s GDPR in the UK after Brexit. The UK GDPR is, in effect, a duplicate of the GDPR, contains all of the same obligations and rights and duties but is tailored for the UK specifically.

See our video guide on this topic – What is the UK GDPR?

Will the UK still have to comply with the GDPR?

Data controllers or processors (ie. businesses who are located in the UK) after Brexit but who continue to hold data in relation to people who are in the EU after Brexit will still be required to comply with the GDPR because the GDPR will have global effect in relation to the data of anybody located in the EU.

See our video guide on this topic – Will the UK still have to comply with the GDPR?

What is adequacy in relation to the GDPR?

Adequacy in relation to the GDPR is a system whereby the EU recognizes that the data protection safeguards in place in a third country, are adequate for the purposes of GDPR and provide the same levels of safeguards as apply in the EU for the protection of personal data here. Where country is granted adequacy, transfers of data can take place between the third country and the EU as if the country were a member state of the EU effectively.

See our video guide on this topic – What is adequacy in relation to the GDPR?

What is the difference between an EU and a UK representative?

An EU representative is required under Article 27 of the GDPR where a data controller or processor does not have an establishment in the EU but processes data in respect of somebody who is in the EU. The UK’s GDPR is very similar to the EU’s GDPR and contains a similar Article 27 which states that if a controller or processor does not have an establishment in the UK and they process data in respect to people who are in the UK then they must they must appoint a UK representative for the purposes of the UK’s GDPR. So the roles are very similar. In fact, they are practically identical except that an EU representative is required where a business doesn’t have an establishment in the EU and holds data in respect of a person in the EU and a UK representative is required where a business does not have an establishment in the UK but holds and processes data in respect of a data subject in the UK.

See our video guide on this topic – What is the difference between an EU and a UK representative?

Can your appointed representative represent you in both the UK and the EU?

Once your representative is established in the EU and the UK then the representative is capable of representing you in both the EU and the UK but you will need separate representation in each jurisdiction for the GDPR of each of those jurisdictions after Brexit.

See our video guide on this topic – Can your appointed representative represent you in both the UK and the EU?

What if my current EU representative is based in the UK?

If your current EU representative is based in the UK and doesn’t have a separate establishment elsewhere in the EU then after Brexit they will no longer be established in the EU simply by being based in the UK. And, therefore, you will need to appoint a representative within an EU member state.

See our video guide on this topic – What if my current EU representative is based in the UK?

Will UK companies have to appoint an EU representative in every member state?

No, the provisions of the GDPR provide that once a representative is appointed in one member state that will cover the business for the purposes of all member states in the EU. The only requirement is that the business must hold data in respect of some data subjects in the member state in which it appoints its representative in the first place but after that then that representative can represent the business for all member states in the EU.

See our video guide on this topic – Will UK companies have to appoint an EU representative in every member state?

If you have any further questions about Brexit and what it means for the GDPR or would like to find out more about EU and UK representation, contact us at [email protected].