Ensuring you are compliant with the latest GDPR requirements is more critical than ever as regulators continue to crack down on non-compliant businesses. While most companies have taken steps to become compliant, many operating outside the UK are unaware of the need for a UK representative if they are processing UK consumer data.
With fines becoming more common, representing 2% of companies’ annual revenue on average, this can be a costly oversight.
If you’re wondering if this applies to you, you have come to the right place. We’ll be looking at the law in detail and what you need to do if it applies to you. Let’s dive in.
- What is a UK representative?
- When/Why do you need one?
- What are the consequences for non-compliance?
- What are the responsibilities of the UK Representative?
- What do you need to do to appoint a UK Representative?
What is a UK representative?
When/Why do you need one?
Since the United Kingdom left the EU, it has enacted its own GDPR regulations. These regulations require companies established outside the UK that sell goods or services within the UK or monitor UK users’ behaviour, to appoint a UK representative and comply with UK GDPR.
Suppose your company has a permanent place of business in a UK country. In that case, you do not have to appoint a UK representative. It’s important to note that a mailbox address or personal workspace does not fall into this category.
To summarise, if your company is established outside the UK but offers products/services to users within the UK (or monitors their behaviour), you are required to have a UK rep.
The need for a UK rep mirrors EU GDPR, where companies outside the EEA who offer goods/services or monitor EU consumer behaviour must have an EU rep.
If you established your company in the US for example, but offer goods/services to the UK and EEA, you will need both a UK representative and an EU representative.
Are there any exceptions to this requirement?
Similar to the EU GDPR, there are exceptions to this requirement, but they are limited in scope. This requirement does not apply where:
- personal data with low sensitivity is processed on an occasional basis and is unlikely to result in a risk to the rights and freedoms of data subjects
- the company is a public authority or body
If these exceptions do not apply to you, you must legally appoint a UK representative.
What are the consequences for non-compliance?
Well, in short, this can result in the ICO imposing heavy fines.
Suppose your company is within the scope of this requirement but has not appointed a UK representative. In that case, you are breaking the law by not complying with the UK GDPR. The Information Commissioner’s Office (ICO), the UK’s supervisory authority, can impose heavy fines.
There are two tiers of fines in the UK GDPR, the higher maximum and the standard maximum.
The standard maximum is fines of up to £8.7 million, or 2% of the company’s annual revenue from the previous financial year, whichever is higher.
The higher maximum is fines of up to £17.5 million, or 4% of the company’s annual revenue from the previous financial year, whichever is higher.
The standard maximum will apply in cases of non-compliance with the Article 27 requirement to appoint a UK Representative.
Does the UK GDPR requirement apply to both Data Controllers and Data Processors?
Yes, it applies to both data controllers and data processors. Article 27 of the UK GDPR specifically states that where the situation outlined above applies, “the controller or the processor shall designate in writing a representative in the United Kingdom”.
What are the responsibilities of the UK Representative?
The responsibilities of the UK Representative mirror those of the EU Representative:
- The representative is either the main or an alternative point of contact for data subjects in the UK and the ICO. They are responsible for facilitating communication between the company they represent and the person who has been in contact. Realistically, the representative will receive enquiries from your company’s customers who are utilizing their data subject rights and administrative notifications from the ICO.
- The representative works with the ICO in the performance of their tasks.
- The representative is responsible for retaining and managing records of processing activities for the represented company.
What are the qualifications and requirements required to be a UK representative?
The UK Representative must be located in the United Kingdom.
The UK Representative may be a person, a company or an organisation who is able to represent your company concerning your responsibilities under the UK GDPR. The ICO gives the example of a law firm, consultancy or a private company as possible UK Representatives.
What do you need to do to appoint an UK Representative?
The company must designate in writing the appointment of the UK Representative. This means they must expressly appoint the representative and direct them in writing.
Practically speaking, the responsibilities of the representative may be designated and found in a simple service contract. This service contract demonstrates the tasks, functions, and powers assigned to a UK representative according to GDPR. The represented company do not need to notify the ICO about their UK representative, however details of the UK Representative should be easily accessible to the ICO and UK-based individuals. This can be done by providing their details in the company’s data protection information (e.g. Privacy Policies) or by publishing it on their website).