UK GDPR Representative
- Companies who trade in the UK but have no fixed “establishment” here are required to appoint a UK GDPR Representative to be compliant with Article 27 of the GDPR. But what does that actually mean?
- What does a UK GDPR Representative do? Who can be a UK GDPR Representative? How much they cost? What are the consequences if a business needs a UK GDPR Representative but chooses not to hire one?
- This two-part episode does a deep-dive into what UK GDPR Representation is all about.
Episode Title: UK GDPR Representation part 1
Companies who trade in the UK but have no fixed “establishment” here are required to appoint a UK GDPR Representative to be compliant with Article 27 of the GDPR. But what does that actually mean?
What does a UK GDPR Representative do? Who can be a UK GDPR Representative? How much do they cost? What are the consequences if a business needs a UK GDPR Representative but chooses not to hire one?
This two-part episode does a deep-dive into what UK GDPR Representation is all about, and is supported by a list of FAQs at the bottom of the page.
Speaking: Dayle Rodriguez from Amakari Services interviews Trevor Fenton from Plain English Law.
Recording Date: 06 Sept 2021
Recording Length: 00:14:39
Hi there, this is Trevor Fenton from Plain English Law. We’ve made this series of podcasts by recording conversations between me and Dayle Rodriguez of Amakari Services. This is Part One of a two-part episode where Dayle and I discuss the role of UK GDPR Representatives for overseas companies. You can find Part Two on our main podcast page at https://plainenglish.law/podcasts/.
In Part One, I use examples to show:
Which businesses need a GDPR Rep and which ones don’t.
What a GDPR Rep actually does and what their services typically cost.
The effects of Brexit on GDPR Representation.
And finally, the potential consequences of needing a GDPR Rep but not having one.
As a side note, near the end of Part 1, I said I didn’t know of any companies having been fined for not having a GDPR Rep. Well, as it turns out, I found one about a week after making this recording. A short summary of that case can be found in our list of FAQs here: https://plainenglish.law/uk-gdpr-representative/#faq
TF: We are talking about UK GDPR Representatives. So you hear the term “UK GDPR Representative”. What’s the first question that pops in your head?
DR: For me, I start thinking about the ICO (Information Commissioner’s Office), but maybe it’s because I’m too close to it. Like, is it someone that has to negotiate between the business and the ICO? Does there have to be someone in place?
DR: No, see there you go, completely wrong. (laughing)
TF: So, the basic idea behind the GDPR, of course, is to protect people’s data no matter where it’s being held in the world. If you live in the UK you are covered, your data is protected by the UK’s GDPR. Now the UK’s GDPR used to be the exact same as the EU’s GDPR when the UK was part of the EU. Brexit has changed a lot of things and not very much at the same time, if that makes sense when it comes to GDPR.
So what happened was that the UK left the EU. We took with us our own copy of the GDPR, we essentially photocopied it more or less. So the UK’s GDPR is now a separate law but, practically speaking for most businesses, it is essentially the exact same GDPR as they were subject to before Brexit.
What’s different though is that, sorry, I’ll try that again. What’s always been part of the GDPR is when an organisation located outside the EU, that doesn’t have an office in the EU, might still be subject to the GDPR if it is processing, basically, if it’s selling stuff to consumers in the EU.
So let’s say a Canadian company for example. It’s got offices only in Canada, and you would think, well, how does the GDPR apply to a Canadian company? It applies to that Canadian company if it is selling to consumers in the EU, or if it is tracking the behaviour of people within the EU, say by using technologies such as website cookies. Yep.
TF: So your Canadian company’s website is accessible from the EU, it’s being visited by EU people, you’re putting cookies on their devices, you’re doing monitoring for marketing purposes, you’re monitoring what pages they visit, you’re using Google Analytics for example – just doing that brings the Canadian company within the EU’s GDPR.
Well now, it also brings with the UK’s GDPR if it’s UK people that they are selling to, or UK people that they’re monitoring.
Here’s the thing: under the GDPR, they’ve always had to get a representative located within the EU. So if you don’t have an office in the EU but you’re subject to the EU GDPR, you have to find an EU-based representative and basically provide their contact details in your privacy notice.
So let’s say a German person is browsing or shopping on your Canadian website, and then you sell something to them, and they think: ‘Well, I don’t like what this Canadian company is doing with my data’ – they have to have the ability to contact an EU-based representative to complain to them and say: ‘Hey, I don’t like what that Canadian company is doing with my data’ or even ‘I want to know what data that Canadian company has got.’ They have to have some sort of a local option if you will.
DR: So I’m probably going to paraphrase this in a horrible way but essentially, what Plain English Law would be is the GDPR punching bag, right?
TF: No, well, not so much the punching bag as the relay point.
DR: That’s a better way of saying it – the relay point – because companies have to have a representative in the UK for EU and UK customers, and Plain English Law can be that representative.
TF: Exactly. So in other words, the Canadian company could say: ‘ Our representative in the UK is’, or rather, to UK consumers: ‘If you’ve got questions about your GDPR rights, contact us via Plain English Law’ and it would give Plain English Law’s contact details. So that way your UK consumer doesn’t have to be contacting a Canadian company, you know, having to make an international call to deal with what is perceived to be a hassle.
Whether it is that much of a hassle, these days or not, is a totally different matter, but that is what the law requires. If you are selling into the UK to consumers or if you are tracking the behaviour of people within the UK, through your web cookies, etc., you have to have a UK contact point for people to exercise their GDPR rights.
DR: Using the Canadian company example, what are the repercussions of not having a EU or UK GDPR Representative?
TF: You’ve committed an offence under the GDPR. You could theoretically be sued, but that’s not likely going to happen. You could be subject to a fine. The Information Commissioner’s Office (ICO), which is the regulator in the UK that’s responsible for enforcing the GDPR, if a UK consumer were to complain to the ICO: ‘Hey, this Canadian company doesn’t have a GDPR Rep in the UK, and they need one because they’re selling to me and I’m in the UK’, then you could be subject to a fine.
It’s a fairly basic compliance step. It’s a simple compliance step, you just have to have a contact point, that’s all. If you’ve got an office, or some kind of permanent establishment in the UK, then you don’t need to appoint a Rep because you already have that contact point.
So if that Canadian company had a subsidiary over here or had an office in the UK, then they wouldn’t need to appoint the Rep because they’ve got an establishment here and that would be the contact point. They would just simply provide those contact details in the UK instead. It’s companies that don’t have an establishment in the UK and are selling into the UK – those are the ones that need to appoint a representative.
DR: And can I assume that you need a representative as long as you’re trading in the UK or EU and don’t have a presence there? There’s no timeline on this – until you actually establish a business premises or…
TF: Or stop selling into the UK and purge the data, that’s right. Basically, as long as you’re processing that data, as long as you’re holding onto that data about UK consumers, then you need to have a representative locally.
Now, what’s curious and what’s a bit irritating, I think, for a lot of businesses in Europe about Brexit is the fact that a UK business that’s selling into the EU has never needed to appoint an EU representative until the Brexit transition period ended. Now in 2021, if you’re a UK business and you’re selling into the EU, actually the EEA so throw in Norway, Iceland and Liechtenstein with that. Anyway, if you’re selling into essentially the EU you need to now appoint an EU Rep. Pick a country, any EU country into which you are selling, you need to appoint a rep in one of those countries. That wasn’t necessary before Brexit.
Similarly, a German company, a French company selling into the UK if they don’t have an establishment in the UK, some kind of office or subsidiary in the UK, then that French company needs to appoint a UK Representative. Again, they never needed to do that before Brexit, but now it’s necessary.
DR: How much does a GDPR Representative cost?
TF: It depends on the size of the company, but the basic price starts at £25 a month, billed annually in advance, and a one-time setup fee of £100.00. So, because we have to open the client file and get to know who you are and get to know your business first, and then depending on how big your business is and how many customers it’s got in the UK, once we sort that out that’s when we can give it a more precise price.
Because what the service involves is, if someone in the UK wants to contact your business, and they come through Plain English Law because we are your representative in the UK, every piece of correspondence that we get we have to scan it and forward it to you, and possibly reply on your behalf once you instruct us to do that. The bigger your company is, and the more customers it’s got in the UK, the higher that volume of correspondence is likely to be. So that’s why there is no clean answer to the price question. But the basic price will start at £25 per month.
DR: Paid upfront in advance, so £300 a year initially. And like you said, as an example, if you had an e-commerce business that has 1000 transactions per day, that fee is going to be a lot more than a service-based business that has 10 transactions per month, because the potential for a customer to contact the representative which is you, Plain English Law, goes up, so there’s going to be a potential increase in fees, right?
TF: Correct. Realistically speaking, the likelihood of there being thousands of people contacting your GDPR Rep is almost 0. I mean, realistically speaking, most businesses do not get contacted very often by people asking to have access to a copy of their data, but it’s for that moment when somebody does, that’s when your lack of a Rep can cause a problem and could cause an investigation right then and there.
Because it’s a fairly basic requirement of the GDPR: ‘Don’t have an office here? You need a Rep.’ People need someone in the UK that they can contact. If they can’t contact anyone and they complain, that’s the issue.
DR: I guess because it’s a fairly new law in terms of notoriety or people knowing about it, there haven’t been that many cases of this happening? Are there any stats on how many companies have been fined or how many companies are potentially at risk?
TF: Correct and, to be perfectly honest, I haven’t heard of people being fined for not having a GDPR Rep. But I’ll tell you why I think that is.
There are a few reasons. First of all, the GDPR is relatively new. It’s only been in force for a little over three years, and the enforcement is only starting to ramp up now in different countries.
Secondly, practically speaking, it’s a problem only for smaller companies. Because if a company is large enough, it’s probably going to have an office in many of the countries that it does business in. You wouldn’t have an office in every single country you sell to, and almost no company does that unless they are the size of Microsoft. But what you might have is probably one office at least in the EU. That office may in fact be in the UK if you’re a larger company, or it might be somewhere else in Europe.
If it is somewhere else in Europe, that used to mean (before Brexit) that you would also have the UK covered, and now you don’t. A lot of companies use Ireland as their EU base because Ireland’s got a very favourable tax structure for international companies, and so that is often a first port-of-call for companies looking to establish themselves in the EU, particularly when they saw Brexit coming. They said: ‘Alright, we want an English-speaking country in the EU.’ Business-friendly Ireland fit that bill, so Ireland has been a destination for multinational companies for a large number of years.
Having located in Ireland used to cover off the UK for EU-related issues. Now it doesn’t, so suddenly it triggers this requirement to have GDPR representation. Brexit has triggered this requirement for companies that are using Ireland as their European base.
transcript of Part 1 end
Continue with Part 2 here: https://plainenglish.law/podcast-uk-gdpr-representative-part-2/