It’s not just businesses selling physical goods into Europe who need to think about the end of the Brexit transition period. Many online businesses could find themselves in breach of EU data protection law unless they take action ahead of 1 January 2021. That’s because the EU’s General Data Protection Regulation (GDPR) requires non-EU organisations to appoint a GDPR representative within the EU or EEA if they offer goods or services to EU/EEA individuals, or if they monitor the behaviour of EU/EEA individuals. It even applies where the services are offered for free. From 1 January 2021, when the Brexit transition period ends, UK organisations will have to comply or risk a fine.
We asked our data protection solicitor David Sant to outline what your business needs to do now to prepare:
'The GDPR representative has a few different roles. They are a point of contact for individuals who want to make requests or complaints about their data. They are also there for EU regulators (the equivalents of the Information Commissioner’s Office) to contact and, if necessary, to take enforcement action against. The representative also needs to maintain accurate records of the processing activities and be available to communicate in relevant EU languages, so it is a significant role that will require a services agreement.
'Many organisations will assume that they have already dealt with GDPR compliance back in May 2018, when the GDPR first came into force. But in 2018 there was no need for UK businesses to appoint a GDPR representative within the EU because the UK was already a part of the EU.'
What does your business need to do by 1 January 2021?
First, look at your processing activities. Are you processing data of EU/EEA individuals as part of offering goods/services to, or monitoring the behaviour of, those individuals? If so, you will need to comply with the EU GDPR, even after the end of the transition period.
Next, you need to consider whether you have any EU-based establishments, eg a branch office. If not, you will probably need to appoint a GDPR representative in the EU. There are some exceptions to this requirement, for example if the processing is only occasional and is low-risk, but businesses should take advice on whether their data processing falls into those categories.
The extra data protection implications of Brexit don’t end there. EU businesses may also need to appoint a UK GDPR representative under the UK’s own data protection laws. Non-EU businesses (eg US companies) who previously used the UK as an EU base for GDPR purposes may need to appoint representatives in both the EU and the UK. Additionally, any organisation that transfers personal data from the EU/EEA to the UK now needs to recognise that they will be transferring personal data out of the EU/EEA, and will need to make sure that transfer is lawful under the GDPR, possibly by amending the relevant contracts. Finally, the individual data subjects themselves need to be told clearly who the representatives are in privacy notices, and about any international transfers of data.
If your business needs urgent advice on what you need to do now to meet any of your legal obligations before the end of the transition period, get in touch with our expert solicitors today.