A guide to what Brexit means for UK business and the General Data Protection Regulation (GDPR).

It replaces the European Union’s Data Protection Directive 1995, as well as all member state legislation based on it – including the United Kingdom’s Data Protection Act 1998. Individuals and organisations in the European Union will have greater control over how their personal data is used as a result of the Act, which also sets significantly more duty and legislation on organisations that collect and store personal data.

It applies to all of the countries that are members of the European Union. Of course, the United Kingdom has left the EU and the General Data Protection Regulation (GDPR) is no longer effective.   Any organisation based outside of the EU that sells goods or provides services to people of the EU, however, is required to comply with the GDPR laws.

On completion of the Brexit transition period, the EU General Data Protection Regulation (GDPR) will be incorporated into law by the European Union (Withdrawal Agreement) Act 2020, and will be referred to as the UK GDPR domestically.   It is at this time that an organisation may require the services of an EU representative, which is what we will discuss in further detail later in this helpful book.

Is it necessary for all organisations to have an EU representative?
Is your organisation or business responsible for monitoring or providing services and goods to persons resident in the United Kingdom? If so, please describe your role. If you do, then you do, in fact, require an EU representative for the purposes of the GDPR.

This rule is exempt from the following two conditions:

1. If your company has an office and employees based in a European Union country, you are eligible to apply.
2. If your company simply handles and processes data on an occasional basis, it is not done on a big scale, and the data is not sensitive and is unlikely to pose a risk or cause harm to anyone.

However, imagine you only do business with people who live in the United Kingdom after December 31st, 2020, when the United Kingdom officially withdraws from the European Union. As a result, you are no longer legally compelled to have an EU representative on your team. This is completely pointless because, after that date, your customers will no longer be considered EU residents.

What exactly does a European Union representative do?
Although it is self-explanatory, an EU representative is a member of your organisation whose responsibility it is to comply with the General Data Protection Regulation. Those working on behalf of organisations based outside of the European Union must have their headquarters in the European Union.

For organisations in the United Kingdom, the major job is to serve as a link between the Information Commissioner’s Office (ICO), the organisation, and the individuals whose data is being kept.

They accomplish this through the following methods:

• It is the responsibility of the organisation or business to keep accurate and up-to-date records detailing the way data is handled.
• Responds to requests for information from the Information Commissioner’s Office.
• Responds to inquiries from the general public about the information that the organisation or corporation maintains about them (also known as “information retrieval”).

What is the difference between an EU representative and a Data Protection Officer (DPO)?
There is a significant distinction between a GDPR representative and a Data Protection Officer (DPO) in terms of theoretical implications. According to Article 37 of the General Data Protection Regulation, if a company has a physical presence in the European Union and processes “large volumes” of data or “sensitive data” relating to EU data subjects, the company is required to appoint a Data Protection Officer to oversee data processing activities.

The General Data Protection Regulation (GDPR) does not define what constitutes “large volumes” of data. Many national data protection authorities, however, have developed guidelines or representations of what they consider to be “high volumes” of data, which are based on the type of the data and the amount of time it will be received, processed, or retained. Everyone in charge of data protection should be voluntarily designated as a Data Protection Officer, as a recommended best practise.

Most importantly, while considering the function of a GDPR representative, remember that they are not accountable for the organization’s compliance with the General Data Protection Regulation (GDPR). Compliance with the General Data Protection Regulation (GDPR) is always the responsibility of the Data Protection Officer (DPO), or if no DPO has been established, the department in charge of controlling and/or processing the data.

There are other parallels between the work of a DPO and the role of GDPR representative that go beyond this distinction.

When is it necessary to nominate an EU representative?
As things stand right now, we have no way of knowing whether the United Kingdom will be leaving the European Union on December 31st, 2020, with or without a withdrawal agreement. It goes without saying that this leaves many people in the dark regarding the next measures to take and the rules that will need to be obeyed.

However, regardless of whether we have a Brexit deal or a no-deal Brexit, EU representatives must be in place if you retain data pertaining to people of the EU, unless you are exempt from the requirements outlined above. Thus, it is advisable to ensure that you have one in place and ready to use.

In addition to this. Entities not established in the United Kingdom but which sell products or services to individuals in the United Kingdom or (2) track their actions will be required to appoint a UK representative in order to comply with the United Kingdom data protection law, regardless of whether the UK leaves the EU with a deal or not. This was validated by the United Kingdom Data Protection Authority (also known as the Office of the Information Commissioner), which stated that:

‘After the United Kingdom leaves the European Union, the UK GDPR will require organisations that are based outside of the United Kingdom but must adhere to its provisions to establish a representative in the United Kingdom,’ according to the government.

What are the risks and obligations involved with not having a representative from the European Union on your team?
Simply put, if you conduct business within the European Union and do not have an EU representative, you are in violation of the General Data Protection Regulation (GDPR). This indicates that you are in violation of the law — that you are not complying with your legal responsibilities. It is not optional, and failure to comply can result in a significant fine. Read on for additional information regarding the fines that can – and will – be assessed against your company, which we will cover in our next section.

Considering the extent of responsibility demonstrated by the organisation about the technological and organisational measures it has put in place to comply with GDPR regulations, when assessing fines, consideration is given to the extent of responsibility displayed by the organisation. Businesses who fail to appoint an EU representative not only risk incurring significant fines as a result of their failure to do so, but they also risk incurring additional fines for non-compliance with several sections of the GDPR. This can have a disastrous effect on small and medium-sized firms.

The GDPR, in addition to fines, establishes civil liability for businesses, under which any individual who suffers significant or non-material loss as a result of a violation of the GDPR has the right to seek compensation from the company responsible for the damage. As part of its class action provisions, the GDPR offers a mechanism for non-profit organisations to bring legal action against corporations on behalf of large groups of customers.

Given the potential for civil liability for violations of the General Data Protection Regulation, one of the most critical things that businesses can do right now is to insure themselves against these ramifications. However, while cyber liability insurance can be used to limit company risks, it is important to remember that your responsibility to comply with legal requirements is implicit in your insurance policy. As a result of your decision not to appoint a GDPR representative for your firm, you are more than likely invalidating the insurance you pay to protect you against that risk.

What penalties have been imposed on corporations in the United Kingdom for violating the General Data Protection Regulation (GDPR)?
In the event of a violation of the GDPR, a maximum fine of EUR 20 million (about £18 million) or 4 percent of annual global revenue – whichever is larger – is imposed.

Once the Brexit transition period in the United Kingdom concludes at the end of 2020, the GDPR and Data Protection Act of 2018 in the United Kingdom will establish a maximum penalties of $17.5 million, or 4 percent of annual global revenue, for any violation of the GDPR and Data Protection Act of 2018.

However, not all GDPR violations result in financial penalties for data security. Supervisory authorities, such as the Information Commissioner’s Office (ICO) in the United Kingdom, may take a number of additional actions, such as:

• Warnings and reprimands are issued.
• Data processing is prohibited either temporarily or permanently.
• Requesting the correction, restriction, or erasure of personal information
• Transfers of personal data to third parties in the vicinity have been suspended.
• In September 2020, a total of €780,800 in fines was levied throughout the world. This resulted in a total of €72,406,375 in cumulative revenue up to that date in 2020.

How to choose an EU representative for your organisation
It is possible for your EU representative to be any individual who is based in the EU Member State from which you collect personal information.

If you collect information from data subjects in a country such as Germany, for example, your EU representative must be based in that country too. But if you get personal data from the EU as a whole, you have the option of nominating representatives in any member state of the European Union.

If you have a choice between multiple countries, it is advisable to choose the one in which you collect the most data or conduct the most extensive monitoring and evaluation.

Appointing an EU representative prior to Brexit is a good idea.
In the event that you do not already have an EU representative in place, you must appoint one before Brexit takes effect on January 1st 2021. In order to ensure that personal information continues to flow legally from them, your organisation would need to implement an appropriate transfer method, such as the Standard Contract Clauses (SCCs) in place for EU/EEA counterparts.

The European Union is conducting a data sufficiency evaluation of the United Kingdom. Consider the following scenario: the EU grants good adequacy judgements by January 1, 2021. Unless the organisations take any action, personal data will continue to flow freely from the EU/EEA to the United Kingdom in the same manner as it does now, with no restrictions.

Who is eligible to serve as an EU Representative?
It is possible for any natural or legal person residing in one of the EU Member States to be appointed as a non-EU company representative.

The representative’s place of business or personal residence must be located within the European Union. It is also necessary for the representative’s residency to be in one of the EU Member States where the data subjects whose personal data is being processed by the business are situated.

In order to fulfil their role as the primary point of contact for everything relating to the organization’s processing of personal data under the GDPR, the representative must interact with data subjects in a timely manner and comply with the requirements of the applicable data protection supervisory authorities.

What factors should you take into account when hiring an EU and/or a UK representative?
Even if you believe you do not require the services of an EU representative at this time, consider your long-term company objectives. Are you seeking to or intending to develop your business into the European Union markets? You should make preparations as soon as possible if this is something you plan on doing in the near future, in case there are any delays or difficulties.

If you could also think about the best cost-effective approach to designate either an EU or a UK GDPR representative, that would be quite beneficial. While hiring someone in-house is an option, you must ensure that they are up to date on the newest news, advancements, and regulations pertaining to data privacy. Alternatively, you might contract with a competent third-party to complete the task for you. This is a more expensive alternative, but it ensures that you are working with someone who is very knowledgeable in their field. Once again, make certain that they are based in the jurisdiction from where you are collecting data. Understanding and speaking the local language is a valuable talent to have and should be sought after.

What JVR Consultancy Can Do to Assist You

The EU representative service that we provide here at JVR Consultancy is extremely extensive. Our European Economic Area offices are located in Cyprus. As an added service, we can serve as your external Data Protection Officer (DPO), providing you with guidance and support in the future. It is possible for us to ensure that you are in compliance with the most recent regulations, and in the event that there is an issue with your data security, we can work with you to discover solutions to the problem.

GDPR and data privacy are issues that businesses must take seriously – please don’t let yourself be taken advantage of; take action today by contacting the team

Frequently Asked Questions from our Customers