Data Protection with a hard Brexit – you might not need a representative in the UK

Is cyber crime a threat to SMEs?

Several companies have made claims similar to “EU companies required to appoint UK Representative if there is a NO DEAL Brexit”. The headlines are wrong. I checked the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and with the ICO. EU companies MAY need to appoint a UK representative, but if any exemptions on representatives from the GDPR apply they DO NOT NEED ONE. The exemptions are:

a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing;
b) a public authority or body

I also asked the ICO if they will take, or are likely to take, the EDPB approach to representatives with “the possibility to impose administrative fines and penalties, and to hold representatives liable”. This is in Guidelines 3/2018 on the territorial scope of the GDPR (Article 3). The ICO response was their powers are limited to holding representatives liable to the extent that information notices can be issued against them. This is in section 142(9) of the Data Protection Act 2018. An Information Notice requires information to allow the ICO to assess the security of network and information systems and the implementation of security policies, including any inspections conducted.

So it seems there are less liabilities for representatives in the UK compared to representatives in the EU. But if you are after a representative in the UK, make sure there are arrangements in your contract with them for handling information notices.

t: +44 (0)7941 188462