As Brexit uncertainty continues, organisations are still considering their options with respect to data protection in the event of a no-deal Brexit. A 'no-deal' Brexit will generate a number of data protection concerns and necessary actions for organisations across industries, including the appointment of an article 27 representative in the UK and/or the EU.
What is 'a representative' and who does it apply to?
A representative is a local point of contact for the organisation they represent, who can communicate with individuals and data protection authorities on behalf of the organisation in relation to data protection matters.
The GDPR requires organisations not established in the EU to appoint a representative in an EU member state, if the organisation monitors the behaviour of individuals in the EU, or if it is apparent that the organisation intends to offer goods or services to individuals in the EU. Following Brexit, organisations in the UK will be subject to the same requirements, as they will no longer be established in the EU.
In addition to this, in the event of a no deal Brexit, organisations not based in the UK who are offering goods or services to individuals in the UK or monitoring their behaviour will be required to appoint a UK representative, in order to comply with UK data protection law. This has been confirmed by the Information Commissioner's Office, which has stated that ''the UK government intends that after UK leaves the EU, the UK GDPR will require organisations located outside of the UK, but which still have to comply with the UK GDPR, to appoint a UK representative''.
What does this mean in practice for organisations?
Currently, organisations based in the UK do not require a representative in the EU and organisations established in other EU countries do not need a representative in the UK. Following Brexit, this will change:
- Organisations established outside the EU and the UK: currently, these organisations require one representative based in the EU. Following Brexit, these organisations may need an additional representative. If the organisation's current representative is based in the UK, but the organisation sells to or monitors individuals in the EU, an additional EU representative will be required to comply with the GDPR. If the organisation's current representative is based in another EU member state, but the organisation sells to or monitors individuals in the UK, a UK representative will be required to comply with UK law.
Alternatively, it may prove cost-effective to appoint an outsourced representative with establishments in both the EU and the UK which can act on the organisation’s behalf in both cases.
- Organisations established in the UK: organisations established in the UK but which offer goods or services to, or monitor, individuals in the EU will need to appoint a representative in an EU country following Brexit.
- Organisations established in other EU countries: organisations established in the EU but not in the UK, which offer goods or services to, or monitor, individuals in the UK will need to appoint a representative in the UK following Brexit. This will be needed in order to comply with UK law.
What do you need consider when appointing an EU and/or a UK representative?
- Assess where you need a representative (UK and/or EU) considering your current and future business operations
- Consider whether your business foresees an expansion which will lead to a new market. Will you need a representative in the UK and/or the EU as a result of this?
- Find the best business option to minimise the cost of appointing representative(s) (e.g. a representative located in the jurisdiction required).
- While a UK representative is relatively straightforward in terms of the representative's location, non-EU organisations will need to assess carefully when choosing where to appoint their EU representative.
- Representatives should be located in a jurisdiction in which there are individuals whose data is being processed, but if the individuals are located in multiple countries the organisation will need to make a choice about where to appoint them. In many cases this will not be an obvious choice and a business and legal analysis will be needed to assess where a representative can most effectively fulfill their role.
- If an organisation processes data from individuals in multiple EU countries, the representative must remain easily accessible to the individuals in all those countries, and must be able to communicate in the language used by the individuals and supervisory authorities of each of those countries.
An outsourced representative with an international presence will make it easier to have a representative easily accessible to individuals and supervisory authorities in different countries, with the language skills required to communicate with them.
Flowchart for EU/UK reps
The below chart (PDF available here) takes into account the requirements to appoint a representative in the UK in the event of a no-deal Brexit. If the UK remains in the EU or leaves with a deal, different answers will apply.