This is a guest blog from our partners DPR Group.
DPR Group was created to meet the need for businesses to have a Data Protection Representative in the EU to provide the representation necessary to meet their obligation under Article 27 of GDPR.
With locations across all EU nations and the UK (a feature unique to DPR Group) the company provides one of the best data protection representative services available.
Brexit will have a huge effect on many businesses; not just in the UK and EU, but around the world. One of the effects relates to the application of data protection, in particular the General Data Protection Regulation (“GDPR”) and the UK equivalent law, the Data Protection Act 2018 (“DPA18”). This includes the creation of the new UK Data Protection Representative role, a requirement for companies outside the UK selling into the UK.
The basic position is that most obligations will remain the same – the UK has brought GDPR into UK law, so it will continue to apply after the Brexit transition, and it is generally expected that the UK won’t seek to significantly reduce those protections for its citizens, as there is a strong desire to obtain an “adequacy” status from the EU (see cross-border transfers, below).
The changes mainly arise in respect of cross-border obligations. However, assuming organisations are already compliant with GDPR’s obligations, the changes should hopefully be relatively simple.
There are two main areas which will change:
- Appointment of Representative(s) for companies based the EU and/or UK
- Cross-border transfers of personal data from the EU to the UK
Please be aware that these changes will only occur after the end of the transition period (on 31 December 2020); until that time, the EU will continue to apply GDPR as though the UK is an EU member state, so application of GDPR across the EU and UK remains unchanged.
The GDPR Representative Requirement
It’s worth summarising the GDPR Representative requirement, as it may not have been relevant before – and it’s one of the lesser-known elements of GDPR anyway! Essentially, Article 27 of GDPR requires that a company which (a) sells to the EU or monitors people there and (b) has no ‘establishment’ (generally a physical location) in the EU, is required to appoint a Representative in the EU. That Representative should be located in the EU country where the organisation has the largest number of data subjects, and data subjects in other EU countries should have easy access to it. If an external company is appointed as Data Protection Officer (DPO), the Representative should not be the same company
At the end of the Brexit transition period on 31 December 2020, the UK leaving the EU will affect the application of the Representative obligation under GDPR (and DPA18) for three types of organisations:
- UK-based companies selling to the EU (or monitoring people there), with no office in the remaining EU27
- International companies selling to the EU (or monitoring people there), whose only EU office is in the UK
- All companies (including those in the EU) selling to the UK (or monitoring people there) with no UK office
- GDPR Articles 3(2) & 27, Recital 80; European Data Protection Board Guidance 03/2018
We have prepared the table below summarising the effects, and more detail is provided below the table.
UK-based companies selling to the EU, with no EU office
Any company in the UK which processes personal data as a result of selling to the UK or wider EU will now be familiar with their obligations under GDPR. These obligations will continue under UK law, but for companies with no office in the EU there will be additional obligation under the extra-territorial scope of GDPR, as the UK will be treated as a ‘third country’ for its purposes; they need to appoint an EU Representative (see here for confirmation from the UK Information Commissioner’s Office). If you are a UK-based company with no office in the remainder of the EU, and you sell to the EU or monitor people there (e.g. keep a list of marketing prospects, receive and/or transmit data about locations etc), you will need to appoint an EU Representative.
Many global companies choose to base their only EU office in the UK. When the Brexit transition period ends, it will mean that company does not have an establishment in the EU for the purpose. If that company processes the personal data of individuals based in the remainder of the EU (i.e. if it has EU customers outside of the UK), it will then have the additional requirement under Article 27 of GDPR to appoint an EU Representative.
Companies (inside or outside the EU) selling to the UK with no UK office
As well as the obligation under GDPR, legislation has been passed by the UK Parliament altering DPA18, creating an obligation on non-UK companies to appoint a UK Data Protection Representative after 31 December 2020 (The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019). This is a new role, created as a result of Brexit, to give individuals in the UK roughly equivalent rights as those in the EU. Essentially, the UK Representative will undertake the same role for companies selling into the UK from outside that the EU Representative does for companies selling into the EU from outside.
Please note that, for companies outside the EU which sell to the UK but no other EU countries, the obligation is effectively similar – their obligation has changed from appointing a Data Protection Representative in the EU to appointing one in the UK.
Cross-border transfers of personal data from the EU to the UK
The other major GDPR/data protection effect for companies will be the cross-border transfer of personal data from the EU to the UK.
GDPR requires that any transfer of personal data across international borders be undertaken with one of a limited number of prescribed protections – the preferred (and easiest) method is if the country to which the data is being transferred has been awarded an ‘adequacy’ status by the EU, meaning that they have a similar level of data protection as the EU.
It is ultimately hoped that the UK will be granted adequacy status. However, that is far from certain (the UK’s surveillance powers in particular may cause issues) and, regardless, there are definite challenges with achieving this before the end of the transition period.
If there is no adequacy status for the UK from 1 January 2021, it will be necessary to use another method to protect that transfer of data. The most common methods are the use of standard contractual clauses (there is a standard, EU-approved, contract wording for this purpose, which can be located easily online) and to create binding corporate rules (for transfers between international offices of the same company) which are approved by the EU authorities – which can be a long and expensive procedure. For EU to USA transfers, the Privacy Shield programme provides an equivalent protection if the company is a fully signed-up member of that programme.
It’s worth noting this won’t apply to transfers in the other direction (from the UK to the EU); the UK has indicated that it will automatically identify any country – which has been deemed adequate by the EU – as also adequate for the UK. This includes all the countries of the EU, so there will be no additional requirements for personal data flowing from the UK to the EU, only the other way round.
Tim Bell, CEO DPR Group