Post Brexit the UK will cease to be part of the European Union on 31st October 2019 in the absence of a “deal” to extend the deadline. One implication of this is that UK businesses which hold, obtain or use data about EU citizens after the 29th will most likely have to formally appoint a “EU representative” within the EU for data protection purposes.
The representative is not intended to simply be a box ticking appointment. It will act as the go between and single point of contact for all data protection matters, whether with individual citizens or data protection authorities, and must maintain records of the processes activities (ROPA) an organisation makes of EU citizens’ data. The representative can be a company or an individual, but it must be mentioned in the privacy information organisations make available to EU citizens.
If your business is required to appoint a representative and does not, action by a European data protection regulator could cause interruption to your business or result in legal action being taken against you.
Which businesses appoint a representative?
Any non-EU business or organisation which systematically offers services to EU citizens or processes data about EU citizens after Brexit is likely to continue to be subject to the General Data Protection Regulation (“GDPR”) and will likely be required to appoint an EU representative.
Technically, non-EU organisations are subject to GDPR if they obtain or process EU citizens’ personal data, either in connection with offering “goods and services” to them (including free services) or “monitoring their behaviour”.
A representative is not required if the organisation already has an “establishment” within the EU (meaning it is already subject to EU laws) or if it meets a limited set of exemptions.
What constitutes “offering goods and services”?
The business or organisation must “envisage” providing goods or services to EU citizens. The fact that EU citizens can access a website or otherwise identify the provider may not be enough to make an organisation subject to GDPR, but evidence that EU citizens are intended to be able to receive goods or services is likely to be enough.
What is implied by the term “monitoring their behaviour”?
“Monitoring” will not result from routine online collection or analysis of personal data (for example, website analytics) or occasional contacts with persons within the EU. However, any focused or deliberate analysis of EU citizens, including via behavioural advertising/marketing, conducting surveys, or conducting statistical analyses of personal data – whether for the business or organisation’s own purposes or those of another – is likely to amount to “monitoring”.
What actions should I take to prepare?
Organisations which makes use of EU citizens’ data need to determine whether they will be subject to GDPR after “Brexit” as a result of offering goods/services or monitoring behaviour – and, if so, whether any exemptions in Article 27 allow them to avoid appointing a representative.
If a representative is required, it must be appointed by the “Brexit” date and must be able to fulfil its functions, including having access to all necessary records, by that date.
By preparing in advance of the 31st of October 2019 will ensure your organisations compliance.