With the 31st October 2019 approaching and the possibility of a no-deal Brexit on the horizon, there are some important upcoming changes for data controllers and processors based in the UK who process the data of subjects based in the EU.
GDPR’s territorial effect is wide and is not limited to organisations established in the EU. The intention is that all organisations operating within the EU are subject to a level playing field, regardless of where they are based. This means that the regulation applies to organisations based in the EU and those that process personal data in the context of providing goods or services to data subjects in the EU.
It also applies to those who process data about data subjects in the EU to monitor their behaviour. Therefore, many companies based in the USA or other non-European Economic Area (EEA) countries already need to comply with GDPR.
Brexit and GDPR: Appointment of EU representatives
Although GDPR already applies to UK businesses, after Brexit there will be some changes as companies from outside the EEA will need to comply with a few additional requirements to those that apply while the UK is a member of the EU. The most important is that data controllers and processors from outside the EU (including the UK after Brexit) who are subject to GDPR, but who do not have an establishment in the EU, must appoint an EU representative.
There are exemptions from this requirement where the processing is occasional, not on a large scale and unlikely to result in a risk to the rights and freedoms of individuals. This is not the same test as to whether an organisation needs to appoint a Data Protection Officer (DPO) although it uses some of the same concepts, such as whether there is any large-scale data processing.
If you need to appoint an EU representative, it is important to understand that the representative is more than just a post box. They must act under the instructions of the data controller or processor which appoints them to carry out tasks, such as providing data subjects with information, maintaining processing records and co-operating with the relevant authorities.
Their actions are based on a direct mandate from the controller or processor and, as such, they do not have the same degree of independence as a DPO. An outsourced DPO cannot take on the role, even if they are based in the EU, due to the conflict between the two roles. It is also inappropriate for one of the organisation’s data processors to take on the role.
If the organisation only operates in one member-state of the EU, the EU representative should be based in that state. For example, if you provide goods and services into France but no other EU country, you will need a representative in France. Where an organisation operates in more than one member-state, it should look at where the majority of EU data subjects are based when deciding where its representative should be based.
Liability is a significant issue which has deterred some organisations from taking on the EU representative role. Although appointing a representative does not remove primary liability from the organisation appointing it, the representative itself may be subject to fines and penalties.
A reputable representative will have to consider this risk and may have put insurance in place to cover it. Organisations should be wary of anyone offering a representative service who is not aware of the liability issues.
When appointing a representative, it is important to put in place a written contract setting out the role of the representative and appointing a single individual as a lead contact. The representative must also have the necessary language skills to communicate with data subjects and the regulators in the relevant member states.
It is also important to consider how liability issues are dealt with in that contract, given the risk that the representative takes of being directly subject to enforcement action.
Brexit and GDPR: Other steps to take
Privacy notices will also need to be updated to include details of the EU representative. Whether or not a representative is needed, organisations will also need to explain the fact that personal data will be transferred outside the EEA and should have a legal basis for that transfer.
One other noticeable difference for UK organisations post-Brexit will be that they will no longer be able to benefit from the ‘one stop shop’ mechanism. This means that issues may need to be dealt with in multiple countries rather than dealing with the Information Commissioner’s Office (ICO) only.
For example, multiple data breach reports may need to be made. Therefore, it is essential to ensure that any EU representative can act in each of the countries and languages relevant to the organisation’s processing.
It is worth noting that the requirement to appoint a representative does not apply to those UK businesses who use an EU-based data processor only in the context of their non-EU activities. However, it is still likely something will need to be put in place to deal with the transfer of data from the EU to a non-EEA country.
Finally, organisations from the EU who offer goods and services in the UK will also need to appoint UK representatives on a similar basis.