31st October 2019 is approaching with the possibility of a no-deal Brexit on the horizon; there are some significant upcoming changes that UK based data controllers and processors need to prepare for.
GDPR’s territorial effect is extensive and is not limited to EU based organizations. The intention is that all organizations operating within the EU are subject to a fair play, regardless of where they are based. This signifies that the regulation applies to organizations based in the EU, that personal process data in the context of providing services or goods to data subjects in the EU. It also applies to those who process data in the EU to monitor their behavior. Therefore, companies based in the USA and other non-European Economic Area (EEA) countries already need to comply with GDPR.
Brexit and GDPR: Appointing EU representatives
Although GDPR already applies to UK firms, post-Brexit there will be further changes for foreign companies that will need to comply with the additional requirement. The most important is that data controllers and processors from outside the EU who are subject to GDPR, but who do not have an establishment in the EU, must appoint an EU representative. This is not the same test as to whether an organization needs to appoint a Data Protection Officer (DPO), although it uses some of the same concepts. If a firm needs to appoint an EU representative, it is essential to understand that the representative is more than just a post box.
If the organization only operates in one member-state of the EU, the EU representative should be from that state. Liability is a significant issue that has deterred some organizations from taking on the EU representative role. Although appointing a representative does not remove the primary responsibility of the organization. The representative itself may be subject to fines and penalties in cases of data breaches. A reputable representative will have to consider this risk and may have put insurance in place to cover it. Organizations should be cautious about anyone offering a representative service without being aware of the liability issues.
Brexit and GDPR: Other steps to follow
Privacy notices also need to be maintained, future-proofed and updated to include details of the EU representative. Whether or not a representative is required, organizations will need to explain the fact that personal data transferred outside the EEA should have a legal basis for its transfer. One other noticeable difference for UK organizations post-Brexit will be that they will no longer be able to benefit from the ‘one-stop-shop’ mechanism. This indicates that issues may need to be dealt with in multiple countries rather than dealing with the Information Commissioner’s Office (ICO) only.
Firms admit that the requirement to appoint a representative does not apply to the UK businesses that use an EU-based data processor only in the context of their non-EU activities. However, it is still likely that some regulations or documents will need to be identified to deal with the data transfer from the EU to a non-EEA country.
Finally, EU-based organizations that offer goods and services in the UK will also need to appoint UK representatives on a comparable basis, very soon.