UK GDPR Representative
- Companies who trade in the UK but have no fixed “establishment” here are required to appoint a UK GDPR Representative to be compliant with Article 27 of the GDPR. But what does that actually mean?
- What does a UK GDPR Representative do? Who can be a UK GDPR Representative? How much they cost? What are the consequences if a business needs a UK GDPR Representative but chooses not to hire one?
- This two-part episode does a deep-dive into what UK GDPR Representation is all about.
Episode Title: UK GDPR Representation part 2
Companies who trade in the UK but have no fixed “establishment” here are required to appoint a UK GDPR Representative to be compliant with Article 27 of the GDPR. But what does that actually mean?
What does a UK GDPR Representative do? Who can be a UK GDPR Representative? How much do they cost? What are the consequences if a business needs a UK GDPR Representative but chooses not to hire one?
This two-part episode does a deep-dive into what UK GDPR Representation is all about, and is supported by a list of FAQs at the bottom of the page.
Speaking: Dayle Rodriguez from Amakari Services interviews Trevor Fenton from Plain English Law.
Recording Date: 06 Sept 2021
Recording Length: 00:26:15
Hi there, this is Trevor Fenton from Plain English Law. We’ve made this series of podcasts by recording conversations between me and Dayle Rodriguez of Amakari Services. This is Part Two of a two-part episode in which we discuss the role of a UK GDPR Representative. You can revisit Part One on our main podcast page at https://plainenglish.law/podcasts/.
In Part Two, Dayle and I talk about:
Qualifications and characteristics you should look for in a GDPR Rep.
“Red flags” to look for in your existing privacy notices.
Comparing the GDPR with the equivalent Canadian law, called PIPEDA.
And finally, why you should consider revisiting your approach to GDPR 3 ½ years after it came into force.
DR: In the last couple years, I’ve come across a lot of GDPR “experts”. I don’t know why use air quotes on a podcast but I hope they can hear my tone of voice: experts. What could I, as the consumer or the conscientious business owner, look for as a seal of approval? A stamp that says this person actually knows what they’re doing, they’re not just reading some stuff off of Wikipedia and then rehashing information? What quality assurances can I look for when looking for a GDPR Representative?
TF: Well, you can look for certification from the IAPP. The IAPP is the International Association of Privacy Professionals and it’s an organisation with about 50,000 odd members across the world, based largely in the US and in Europe but very much a global organisation.
They have a certification scheme for European, Canadian, US, and Asian privacy expertise. You could look for someone who has the designation CIPP, which is a Certified Information Privacy Professional. I’ve got that designation for Europe (CIPP/E) and I’m working on the one for Canada (CIPP/C).
The CIPP certification is definitely a mark that shows that, number one: not only do you take the issue seriously, but you’ve passed a certification programme to demonstrate your knowledge of privacy law in in that part of the world that you’re certified for. So that’s certainly one seal you can look for.
But aside from that, to be perfectly honest, there is no professional regulation of GDPR expertise. Anyone can call themselves a GDPR expert, and it does require a certain amount of due diligence on the part of the purchaser to dig a little bit deeper and find out if the person they’re talking to is actually knowledgeable about the topic.
And that’s a difficult thing for somebody to do when you are coming at it from outside of the UK or outside of the EU – you’re not actually subject to the GDPR in your day-to-day business quite the same way, so it can be a real challenge.
And really, it’s like any other professional service. You’re just going to have to talk to some people, talk to different service providers and decide who you’re comfortable going with.
DR: Have you ever come across any so-called experts and realised that what they’re saying isn’t correct? And are there any red flags that we could look for? You told us what we can look for as a positives, but are there any phrases that people use that aren’t quite right? Or is this too broad a question?
TF: It is pretty broad. It’s difficult because, especially because I’m talking a lot about Canada here, because if you’re talking about GDPR and the GDPR “expert” immediately starts talking about “getting consent”, they may or may not know what they’re talking about.
My experience is, that is, consent is important under GDPR in some circumstances, but it’s not the be-all and end-all. In the early days of GDPR, when there was a rash of firms that came out advertising GDPR expertise because the business community was frankly running around trying to figure out what to do to get ready for this new law, there was a lot of not very good GDPR work that got done.
There was a bit of a feeding frenzy, I think, among professional services firms. And that would include law firms, consultancies that were unregulated, large accounting firms, lots of firms got in on this. And the buzzword at the time was definitely “consent”. People were saying: ‘You need consent to process data, so we’re going to write your privacy notice to say that you consent to this and you consent to that.’
I think a more mature understanding of GDPR would be that consent is one of the options, but it’s often not a very good option for many businesses, depending on what it is that they’re doing. So that would tend to be a bit of a red flag for me.
Now, if you’re in Canada, ignore everything I’ve just said. Because in Canada, the equivalent law to GDPR is a federal law called PIPEDA – the Personal Information Protection and Electronic Documents Act – is the federal data protection law. There are a couple of provincial laws that replace it in British Columbia, Alberta and Quebec. Those laws are premised on consent first. The Canadian conception of “privacy” talks about consent non-stop. So, if you’re in Canada and the person you’re talking to says it’s got to be all about consent, they are probably right. If you’re in Europe, and if you’re in the UK or the EU and someone is talking nonstop about consent, they’re less likely to be giving you good advice.
DR: I remember you told me about the other pillars of GDPR, other than consent, and I’m laughing because I can’t remember what they are. You mentioned there are other things you can do to make sure that you’re GDPR compliant, it’s not just consent, there’s also…?
TF: What we’re talking about is the legal basis for processing data. So, whenever you are processing personal data about anybody, you have to have a legal basis for doing that. And the legal basis under the GDPR could be consent.
It could also be because the processing you’re doing is necessary in order to carry out a contract with the person whose data you’re processing. A simple example would be: you fill out an order form because you’re going to buy something from me and you put your name on it. That whole order form, what’s on that form, becomes personal data about you. I, as the business, am going to process that personal data about you just by storing it in my system. I’m now processing data about you. Why am I doing that? Because I can’t fulfil this contract with you unless I process that data.
Essentially, we’re signing a contract. You need to know who you’re signing the contract with, so that’s necessary. In that case, it’s not consent that I’m relying on. I’m relying on the fact that I’ve got a contract with you and this is necessary to do that contract.
DR: Which is “legitimate interest”?
TF: No. Legitimate interests is a separate basis. With legitimate interest, there doesn’t have to be a contract in place. It basically means, for what I’m doing, I’ve got a legal and reasonable purpose for processing the data. That purpose is for my benefit as the business processing the data, or it’s maybe even for the benefit of a third party. But the interest we have in this data is legitimate and the impact on you as the data subject does not outweigh my interest in processing the data.
This is all a very roundabout way of saying basically: ‘What I’m doing is legal and it’s fair, and it’s not particularly harmful to you, and I’ve done a balancing exercise where I’ve actually weighed this up.’
What I’m not saying is: ‘Oh look, this isn’t a big deal, end of story.’ What I am saying is: ‘This is not a big deal because I have looked at this closely. I’ve looked at the impact this could potentially have on you as the data subject, and I’ve concluded based on this analysis that actually the impact on you is manageable or is minimal and it doesn’t outweigh what I’m trying to do for my business or for my customer’s business.’
Now, the Canadians do essentially the same kind of analysis, except they frame it in terms of consent, specifically implied consent. It arrives at more or less the same destination, but it’s just a different way with some different terminology around it.
DR: So, to recap, a red flag you should look for in when it comes to UK and EU GDPR expertise is when people only focus on kind of one area of GDPR, specifically consent. But also, in other places of the world, consent is actually quite a big part of being GDPR compliant or being data protection compliant.
TF: Correct. I think if the privacy notice that you’ve had prepared for you only talks about consent, or if it talks about consent in general terms without specifying what data is being processed while relying on consent, then…. Sorry, I don’t know how to summarise this Dayle. Every time I try to give you a rule of thumb when we talk about consent, well, I can’t even say there is one.
There’s very often you’re going to see consent talked about in a privacy notice, and it’s actually been done perfectly well. It’s just that I see a lot of privacy notices that have a lot of elements that work or that could work, but it does require some training and some knowledge of the area to identify: ‘Ah! That’s not a good application of consent, or that’s even a total misapplication of consent.’
There’s just no way for me to give a quick rule of thumb that says: ‘Look at your privacy notice and this trick will tell you you’re in trouble.’
DR: Which I guess is kind of the solution you’re trying to provide as well, right? Because you say it can’t be done so quickly. It has to require some sort of technical expertise.
TF: Yeah, I think so. I think it’s not so much technical expertise as a good understanding of GDPR, and I’ll tell you why. Because I think most GDPR knowledgeable professionals, whether they’re lawyers, consultants, whatever their line of work is, anyone who has worked with GDPR over a period of time will have probably found that their understanding and their approach to GDPR has evolved.
I think the early days of GDPR, when the law was first published in 2016, they gave us two years to get ready. They passed the law in 2016 and the law came into effect in 2018. That two years was supposed to be spent getting ready for GDPR coming into force and a lot of companies wasted most of that time. There was a huge flurry in the last six months before the start of GDPR (‘Oh geez, we gotta get ready!’) and when I talk about having a more mature understanding of GDPR, I think the entire industry has developed a more mature understanding of GDPR.
And I think most professionals who wrote a privacy notice or gave some advice to a business in the early days 2016, 2017, 2018, they probably would give different advice now because they’ve come to understand some of the nuances, some of the problems that come from choosing certain approaches to GDPR.
The initial instinct people had was to go for consent because, instinctively, that makes sense. If I’ve got your permission to use your data, how can this be a problem? I think that’s what caused the mad rush towards consent in the early days.
Legitimate interest was looked at by a lot of people as being a basis that you would rely on us as almost like a last resort if consent didn’t work. I think most of us have probably turned that completely around and thought, for businesses, they’re probably going to want to rely on legitimate interest and go to consent only as a last resort.
Because consent is difficult. It’s very difficult to manage. It’s difficult to get valid consent. You then have to manage the consent, because if someone turns around and says: ‘Actually, I withdraw my consent’, you just have to stop what you’re doing and with their data. You have to prove that you’ve got a system in place to manage that, because you can’t just have requests coming in and falling into a dark pit never to be never to be processed.
Consent is something that people can give to very specific activities. They can say: ‘I give you permission to do this but not that.’ Again, how do you manage what they’ve consented to and what they haven’t without having really efficient records-keeping?
Legitimate interest doesn’t have nearly that level of complication. Over time, I think what we’ve seen is the advice that people are getting, generally speaking, from GDPR consultants has shifted.
If businesses are still relying on the advice they got in 2017, 2018 when they were first getting ready for GDPR, that might be actually one of the red flags – you might want to actually have a second look at that because the understanding has shifted. Also because the way that data protection authorities across the EU and in the UK, i.e.: the way they’ve approached GDPR, has also, I think, been evolving.
I don’t think the ICO was ready on day one for GDPR. There was a lot of stuff on their website that was out of date as of the first day of the GDPR. It would have things like, essentially, ‘We haven’t written this guidance yet for GDPR’, ‘We haven’t updated it yet for GDPR’, etc. I think they’re pretty much caught up, but it’s taken them some time to update all of their guidance to reflect the GDPR.
If the ICO couldn’t even be ready for day one, and if their understanding has been evolving, and if the way that they’re approaching the behaviours that they’re seeing is evolving, then it stands to reason that those of us advising businesses are going to have an evolving understanding as well.
So, if you got ready for GDPR in 2017 or 2018 and you haven’t looked at it since, then two things. Number one: I think the understanding of the law has probably evolved since then, Number two: that’s 3.5 years since you got ready for GDPR – are you sure that your business is doing the same things it was doing 3.5 years ago?
I think you’d be pretty surprised how many of your data handling practises might have changed. You might have changed the apps that you use. The business report services that you use that handles personal data on behalf of your business, those have probably changed. How many of us had even heard of Zoom, Asana, Slack? I’d never heard of Slack before the before the pandemic started! Slack’s been around since well before the GDPR.
People are adopting new apps all the time. They need to be updating their records. They need to be updating their privacy notices to account for that. And if what you did was you got a GDPR project that got done in the early days and then just let it sit there since then, it probably needs a refresh.
DR: Two questions linking back to the actual proper FAQ. Sorry to go on a tangent. EU and UK GDPR Representatives – are they two different things? Do I need both?
TF: If you are located outside of Europe – let’s go back to the Canadian example – you will need both if you are selling into both the EU and the UK. So if you’re selling to consumers in both the EU and the UK, you will need representatives in both the EU and the UK.
DR: And if I’m a business in the UK, presumably I only need the EU one? And likewise, if I’m in the EU and only selling to the UK, I would then only need a UK GDPR representative?
TF: Correct, unless you’ve got an office here. If you have an establishment in the UK you don’t need a Rep. If a UK company has an establishment in the EU, it does not need an EU Rep because it’s got an EU address effectively, so it’s already got something there.
DR: The second question, I know you’ve answered it already, but I was hoping maybe you could drill down a bit if you’re able, maybe give us an example. So I already asked the question: ‘What does a UK GDPR representative do?’ And you explained your kind of like the mediator or the facilitator or…
TF: …or the contact point?
DR: Yes! The contact point. Sorry there, I should be using plain English, shouldn’t I? The contact point for these businesses. Are you able to explain what a GDPR Rep would do if a client or a client’s customer actually contacted you – what would actually happen?
TF: An example would be, you’ve got a UK customer or potential customer. Maybe somebody you’ve sent a marketing email to and they go: ‘Who is this company?’ So they go to your website and they see on your privacy notice; ‘If you’re in the UK, contact our representative in the UK – Plain English Law – you can contact them here.’
Next that person might write to Plain English Law saying: ‘I received an email from this company. Who are they and what information do they have about me?’ What your Rep will do for you partly depends on the service level you’ve paid for, but the basic function is for the Rep to turn around and forward that correspondence to you, because it’s you that needs to answer the data subject’s question.
Now you might answer that question back through Plain English Law, and you might need some help to figure out what is the correct answer to that question. Because if you’re a Canadian company, you’re accustomed to the Canadian way of responding to data requests from people. The rules are different under the GDPR than what you’re accustomed to. So you might not know what are the time limits are? What do I need to respond with? How comprehensive does my response have to be? Is there information that I can withhold? Can I outright refuse in some circumstances? Can I charge a fee for replying to it, etc.?
All of these kinds of questions, if you’re not located here and you’re not regularly dealing with GDPR, you probably wouldn’t readily know those answers. We, as your UK GDPR Representative, can advise on that.
But ultimately, what has to happen is someone has to reply to that data subject. And either you, as the business holding that data, you could do that yourself once you’ve been handed the correspondence by us, we relay it to you. Or you could ask us to respond on your behalf.
DR: Would you say the value-add isn’t just being a contact point? It’s also being able to being able to help respond correctly and in the right way?
TF: Exactly. Help responding correctly and on time with all of the required bits of information that the GDPR requires you to respond with.
DR: That’s the true value because anyone can just say: ‘I’ll be your representative.’ But if it was Joe-Bloggs-off-the-street and people send messages to Joe-Bloggs-off-the-street and they don’t respond properly, again, that could be a bigger problem than not having the representatives at all. Actually having a representative that knows what they’re doing and can advise on how to respond is the real true value of the service.
DR: Cool. I think you need to say that right? (laughing)
TF: Ok well, I wouldn’t say it’s the “true value of the service”. It makes the service more valuable. The primary value of the service is complying with the bit of the GDPR that says you have to have a representative in the UK if you don’t have an office here and you’re selling to UK consumers. That’s the essential rule.
DR: I guess maybe I’m being too salesy about it. From my point of view, it’s a hygiene cost that’s been added to businesses. It’ll be very frustrating because no one likes having hygiene costs for their businesses. But if you can say, actually it adds value, then people are happy to pay for it. Does that make sense?
I think the difference between some of the bogus people that I’ve spoken to and yourself is you actually have the values and the understanding to make sure it’s done correctly. Not just being the contact.
TF: I’m not going to suggest that other people don’t know what they’re doing. I’m going to suggest that I am able to explain things in ways that make sense to business, and are practical for business to implement.
I think other people who are offering a UK GDPR representative service, many of them will do a perfectly fine job. It’s just a question of who you would rather deal with and whether you’d like to get that service in plain English or in GDPR-speak.
Even for someone who is adamant about doing things in plain English, talking about GDPR in plain English can cause a brain-sprain at times because the way the rules are phrased. It is very difficult sometimes to stay in plain English when you talk about this stuff and put it in terms that make sense to the business, rather than someone who’s really interested in technical rules of GDPR.
But what I would say is that the primary reason to appoint a GDPR Rep is simply to comply with the requirement to have a GDPR Rep, however, what that GDPR Rep does for you once someone does contact them, I think that’s where the differentiator could be. What kind of support are you going to get in responding to that request?
You could look at the GDPR Rep as effectively just being a post box, and if that’s all that you’re getting then that may or may not be enough for you. But if you were a smaller business, if you’re a business that doesn’t have a location in the UK, chances are you’re not going to have total expertise in UK GDPR requirements.
How will you respond when somebody submits a data subject access request? They want to know what data you’ve got about them, they want to copies of that data, they want you to erase their data. There are a number of exceptions to that requirement – do you know about them? For example, someone says: ‘Delete all my data.’ Do you have to actually do that? There are a surprising number of exceptions to that requirement.
DR: And in this instance, a UK GDPR representative with a certain skill set and experience level will be able to help advise on that?
TF: Exactly because chances are you’re not going to get a massive number of UK data requests unless you’re a huge company. Those times when you do get those requests, because they will be probably few and far between, it means you probably won’t build the expertise to respond to them efficiently and correctly.
That’s where having that relationship with a UK GDPR Rep who’s got that knowledge, who can advise you on what the appropriate steps are and what the correct responses are, that’s where that value is going to come in.
Transcript of Part 2 end
Revisit Part 1 here: https://plainenglish.law/podcast-uk-gdpr-representative-part-1/
Additional Reading: International Association of Privacy Professionals (IAPP) – CIPP Certification