UK GDPR Representative
Service

  • Companies who are not established in the UK but are currently trading here must appoint a UK GDPR Representative to comply with Article 27 of the GDPR.
  • With British and Canadian legal qualifications and extensive commercial law experience on both sides of the Atlantic, Plain English Law is uniquely qualified to provide this service to overseas businesses trading in the UK.
  • As GDPR specialists, Plain English Law can be your point-of-contact in the UK, and simplify the Article 27 compliance process for your business.

Scottish and Canadian-qualified Plain English Law is the natural choice as your UK GDPR Representative.

 

+ - Transatlantic qualifications

After a career in chemical engineering, Plain English Law's Trevor Fenton trained as a lawyer in Ontario, Canada. He started practising in British Columbia in 2007, before relocating to the UK in 2011.

Qualifications:

  • Law Society of Scotland - Solicitor (2015)
  • Law Society of England & Wales - Solicitor (2011)
  • Law Society of British Columbia - Barrister & Solicitor

 

+ - GDPR expertise

The International Association of Privacy Professionals (IAPP) is a global organisation with approx. 50,000 members based largely in the US and in Europe.

The IAPP runs a certification scheme for professionals working in data privacy (CIPP). Trevor is a Certified Information Privacy Professional for Europe (CIPP/E) and is currently working on his certification for Canada (CIPP/C).

CIPP certification is an internationally recognised mark of trust in GDPR expertise.

https://iapp.org/certify/cipp/

 

+ - Commercial experience

Trevor has a keen practical understanding of small and medium-sized businesses:

  • Three years as finance director of a small international firm,
  • Nearly five years as Head of Legal at a rapidly growing Scottish multinational,
  • Two terms as a non-executive director with Modo, Vancouver's car-sharing cooperative.

 

The best thing is, we do it all in plain English.

Book your free 30-minute consultation.

Frequently Asked Questions

+ - Do I need a UK GDPR Representative?
Under Article 27 of the UK GDPR, you need a GDPR representative in the UK if:
  • You don't have an establishment in the UK, and

  • Your business is subject to the UK GDPR anyway.

Overseas companies are subject to the GDPR when they:
  • offer goods or services to UK consumers, or
  • monitor the behaviour of people in the UK (such as with behavioural advertising, web browser tracking using cookies, or browser fingerprinting).
With Brexit, this rule applies for the first time to companies based in the EU (and the broader European Economic Area).

 

+ - What’s the difference between an EU and UK GDPR Representative? Do I need both?
The function is exactly the same: to act as a local GDPR point of contact.
However, the UK is no longer a member of the EU. That means EU-based representatives can no longer cover the UK, and UK-based representatives can no longer cover the EU. 
 As a result: 
  • Some EU companies now need a UK GDPR representative. 
  • Some UK companies now need an EU GDPR representative. 
  • Some companies from elsewhere in the world now need both an EU GDPR representative and a UK GDPR representative. 

 

+ - Does a UK company need an EU GDPR Representative?
If a UK company has no establishment in the EU, it will need an EU GDPR Representative if it sells to consumers in the EU, or if it monitors the behaviour of EU residents. This is a new requirement because of Brexit. 
The UK is now a “third country” under EU law. Under the EU GDPR, UK companies are now treated the same as companies from other non-EU countries with “adequate” privacy laws, such as Canada, Israel, and Argentina.  
+ - Does an EU company need a UK GDPR Representative?
It’s the same answer as the previous question, but in reverse. 
If an EU company has no establishment in the UK, it will need a UK GDPR Representative if it sells to consumers in the UK, or if it monitors behaviour of UK residents. This is a new requirement because of Brexit. 
+ - What does a UK GDPR Representative do?
In simple terms, a UK GDPR Representative is a UK-based point of contact for a foreign company without an office in the UK. This makes it easier for UK residents to send their GDPR queries to the company.  
The foreign company must provide their UK Representatives contact details in their privacy notice. 
The minimum level of service would be for the UK Rep to forward privacy-related requests from UK customers to the foreign company. The company may then deal directly with the customer, or they may ask the UK Rep to do that for them. 

 

+ - Who can be my UK GDPR Representative? What qualifications should I be looking for?
The GDPR does not set any minimum qualifications. However, Recital 80 of the GDPR says that your representative: 
  • should act on your behalf regarding your GDPR obligations; 
  • may be contacted by the ICO (the UK’s Information Commissioner’s Office); 
  • should cooperate with ICO to ensure your compliance with the GDPR. 
A good GDPR Representative can do a lot more than just forward incoming correspondence to you. They’ll be able to triage the correspondence for you, advise on deadlines for responding, and provide support on more complex cases. 
Your company might have its own internal GDPR expertise. Even then, you should probably choose a representative with a strong practical and legal understanding of the GDPR. 

 

+ - What are the consequences of not having a UK GDPR Representative? (recent case summary)
Honestly, nobody really knows yet. Some service providers are using the fear of large GDPR fines to market their GDPR representative services. We think that's disingenuous. 
As of September 2021, there was only one fine relating to Article 27 in the GDPRHub database. It’s a big fine, but there’s more to the story than just failing to appoint an EU Representative. 
In May 2021 the Dutch data protection authority fined Canadian company called Locatefamily.com €525,000 for breaching Article 27. Complaints had been filed against the company in at least 10 EU countries for, among other things, not responding to requests for erasure of personal data. The company denied being subject to the GDPR at all, and still had not appointed a representative when the fine was issued.  
This case is surely a warning to overseas companies: don’t be arrogant or dismissive about the GDPR when you’re handling EU or UK personal data. However, will you get a massive fine just for failing to appoint a GDPR Representative? That seems like scaremongering to us.  
Still, the risk of fines for not appointing a GDPR Representative is largely unknown. The reputational risk could be more of a problem.  
More importantly, the cost of compliance with Article 27 is pretty small. To find out more, contact us for an initial consultation
+ - How long will I need a UK GDPR Representative for?
You need a UK GDPR Representative for as long as you hold on to the data that triggered the requirement in the first place.  
Contact us for a free initial consultation on your GDPR compliance needs. 

Book your free 30-minute consultation.

Back to top