UK GDPR Representative
- Companies who are not established in the UK but are currently trading here must appoint a UK GDPR Representative to comply with Article 27 of the GDPR.
- With British and Canadian legal qualifications and extensive commercial law experience on both sides of the Atlantic, Plain English Law is uniquely qualified to provide this service to overseas businesses trading in the UK.
- As GDPR specialists, Plain English Law can be your point-of-contact in the UK, and simplify the Article 27 compliance process for your business.
Scottish and Canadian-qualified Plain English Law is the natural choice as your UK GDPR Representative.
After a career in chemical engineering, Plain English Law's Trevor Fenton trained as a lawyer in Ontario, Canada. He started practising in British Columbia in 2007, before relocating to the UK in 2011.
- Law Society of Scotland - Solicitor (2015)
- Law Society of England & Wales - Solicitor (2011)
- Law Society of British Columbia - Barrister & Solicitor
The International Association of Privacy Professionals (IAPP) is a global organisation with approx. 50,000 members based largely in the US and in Europe.
The IAPP runs a certification scheme for professionals working in data privacy (CIPP). Trevor is a Certified Information Privacy Professional for Europe (CIPP/E) and is currently working on his certification for Canada (CIPP/C).
CIPP certification is an internationally recognised mark of trust in GDPR expertise.
Trevor has a keen practical understanding of small and medium-sized businesses:
- Three years as finance director of a small international firm,
- Nearly five years as Head of Legal at a rapidly growing Scottish multinational,
- Two terms as a non-executive director with Modo, Vancouver's car-sharing cooperative.
Book your free 30-minute consultation.
Frequently Asked Questions
Do I need a UK GDPR Representative?
Under Article 27 of the UK GDPR, you need a GDPR representative in the UK if:
You don't have an establishment in the UK, and
Your business is subject to the UK GDPR anyway.
Overseas companies are subject to the GDPR when they:
- offer goods or services to UK consumers, or
- monitor the behaviour of people in the UK (such as with behavioural advertising, web browser tracking using cookies, or browser fingerprinting).
With Brexit, this rule applies for the first time to companies based in the EU (and the broader European Economic Area).
What’s the difference between an EU and UK GDPR Representative? Do I need both?
The function is exactly the same: to act as a local GDPR point of contact.
However, the UK is no longer a member of the EU. That means EU-based representatives can no longer cover the UK, and UK-based representatives can no longer cover the EU.
As a result:
- Some EU companies now need a UK GDPR representative.
- Some UK companies now need an EU GDPR representative.
- Some companies from elsewhere in the world now need both an EU GDPR representative and a UK GDPR representative.
Does a UK company need an EU GDPR Representative?
If a UK company has no establishment in the EU, it will need an EU GDPR Representative if it sells to consumers in the EU, or if it monitors the behaviour of EU residents. This is a new requirement because of Brexit.
The UK is now a “third country” under EU law. Under the EU GDPR, UK companies are now treated the same as companies from other non-EU countries with “adequate” privacy laws, such as Canada, Israel, and Argentina.
Does an EU company need a UK GDPR Representative?
It’s the same answer as the previous question, but in reverse.
If an EU company has no establishment in the UK, it will need a UK GDPR Representative if it sells to consumers in the UK, or if it monitors behaviour of UK residents. This is a new requirement because of Brexit.
What does a UK GDPR Representative do?
In simple terms, a UK GDPR Representative is a UK-based point of contact for a foreign company without an office in the UK. This makes it easier for UK residents to send their GDPR queries to the company.
The foreign company must provide their UK Representatives contact details in their privacy notice.
The minimum level of service would be for the UK Rep to forward privacy-related requests from UK customers to the foreign company. The company may then deal directly with the customer, or they may ask the UK Rep to do that for them.
Who can be my UK GDPR Representative? What qualifications should I be looking for?
The GDPR does not set any minimum qualifications. However, Recital 80 of the GDPR says that your representative:
- should act on your behalf regarding your GDPR obligations;
- may be contacted by the ICO (the UK’s Information Commissioner’s Office);
- should cooperate with ICO to ensure your compliance with the GDPR.
A good GDPR Representative can do a lot more than just forward incoming correspondence to you. They’ll be able to triage the correspondence for you, advise on deadlines for responding, and provide support on more complex cases.
Your company might have its own internal GDPR expertise. Even then, you should probably choose a representative with a strong practical and legal understanding of the GDPR.