European Data Flows: Does your business need a European Representative after Exit from the European Union?
As Brexit continues to frustrate us all, and its implications remain an uncertainty for many businesses, the ICO have issued guidance to help prepare businesses for life post-Brexit.
Following our departure from the EU, the UK will become a “third country” for the purposes of the GDPR unless we are given “adequacy” status by the EU. This will only happen if the EU are content that the UK’s data protection legislation reaches the standard set by EU Regulations. Whilst it may seem obvious to many that this has already been achieved by our adoption of the GDPR and ratification of the Data Protection Act 2018, we must still achieve adequacy and this is something we don’t presently have.
This means that businesses which offer goods or services to, or which monitor the behaviour of, individuals in the EEA, despite not having a branch or office in that county, are still required to comply with the EU GDPR. To do this, these businesses will be required to appoint a European Representative.
This representative will work on behalf of your business and may be either an individual or organisation. As per guidance from the European Data Protection Board (Guidelines 03/2018), this representative should be located in the EEA at the place where most of your data subjects are resident. However, if there is an even spread of individuals located across several countries, the representative should still be easily accessible to them.
You must make the appointment of your representative in writing, setting out the terms of your relationship. In practice, this can take the form of a service contract with the individual or organisation. Within this appointment, the representative must be authorised in writing to act on your behalf regarding compliance with the GDPR as they may be required to deal with any supervisory authorities or data subjects in this position.
There are a limited number of exceptions to this, including where the data you are processing is occasional and low risk to the individuals, but it would be better to seek advice on these exceptions before processing the data to ensure that all regulations are being complied with.
If you think that this will affect your business or organisation, please don’t hesitate to contact me, Louise Weatherhead at Louise.firstname.lastname@example.org or by telephone on 0191 2263699 for further information.