Brexit: do you need to appoint a data privacy representative?

Whether or not a Brexit deal is ultimately derailed by cod and pollock quotas, data movements between the UK and Europe will continue unabated. In 2018, the formal implementation of GDPR became a material compliance issue for many businesses, and that same regulation will give rise to fresh questions through 2021 as the Brexit barrier is erected between the UK and the EEA from 31 December.

Even if the EU does grant the UK the “adequacy” status which would simplify the continued transfer of data between the two, one (perhaps previously) overlooked article will take much greater significance for those processing data in either territory, namely, the Article 27 obligation to appoint a Representative where the relevant business has no local establishment.

This obligation is reflected in the UK’s post-Brexit application of GDPR (to be known creatively as “UK GDPR”) and mirrors the very same issue faced by UK entities seeking ongoing activities in Europe.

Who must appoint a Representative?

UK GDPR requires the appointment of a UK Representative for any entity:

• offering goods or services, whether or not paid-for, to data subjects in the UK; or
• monitoring the behaviour of individuals as far as their behaviour takes place within the UK whether they are acting as controller or processor.

The requirement is neutral as to form and industry, so applies whether that entity is listed on a stock exchange or is a trust, and whether it is operating in online enterprise, manufacturing yachts or broking PPE supplies. If UK GDPR applies, then so does the requirement to appoint a UK Representative.

What are the penalties for failure?

The threat of sanctions aims to drive compliance and a fine of 2% of global turnover or €10,000,000, whichever is higher, means that a failure to appoint a UK Representative could signify a substantial error of judgement. It remains to be seen if any funding cuts reflected in the budget of the ICO (the UK data supervisory authority) as a result of COVID-19 encourages a greater degree of enforcement of this provision as well as more generally.

What is behind the requirement?

The core principle is that the ICO, and the individuals about whom entities process personal data, should have a first point of contact, which enables barrier-free communication. There is no formal language test, so no matter how well they already speak English, entities who lack a local establishment will still need to appoint a UK Representative. This is not to be confused with the separate obligation to appoint a Data Protection Officer (DPO) where appropriate, but a standalone obligation arising out of a simple test of establishment.

How is establishment defined?

Formal guidance from the EU has helped narrow down the parameters of what is an establishment for GDPR purposes:

• Being able to access a website in the UK does not constitute establishment;
• Formal local registration of an entity (a branch or subsidiary) is not necessarily required; and
• The presence of a sales agent or single employee in the territory may be sufficient if that presence can be shown to provide a real and effective activity exercised through a “stable arrangement”, but clarifying an entity’s position requires case-by-case consideration.

Making the appointment

Whether or not UK GDPR will apply to an entity’s activities will depend on its actual processing activities. Once that question is resolved, then the establishment test above will identify the need to appoint a UK Representative.

An appointment must be made in writing and then publicised to third parties – normally a line is added to a privacy policy giving the contact details of the UK Representative. The services provided will depend on those offered by the relevant UK Representative. However, for those businesses whose key privacy concerns relate to data loss and cyber-security it will be important to maintain clear distinctions as to who performs which role; privilege must be retained in relation to legal advice, and DPOs must remain independent of DPOs.

For more information on the Article 27 obligation and to discuss whether you need to appoint a data privacy representative, please contact Rupert Casey.