The UK General Data Protection Regulation (the “UK GDPR”) is the main body of law governing the processing of personal data (meaning any information relating to an identified or identifiable natural person (a data subject)) in the UK; it is the UK’s version of the EU General Data Protection Regulation.
The UK GDPR applies not only to UK-based businesses and natural persons who are processing personal data in the UK but also to controllers and processors who have no offices, branches or other establishment in the UK if their processing activities relate to:
If your business meets these criteria then you are required to appoint a UK representative under Article 27 of the UK GDPR. The requirement does not apply if you are a public authority or your processing is occasional and is of low risk to the data protection rights of individuals and does not involved large-scale use of special category or criminal offence data. It is no longer satisfactory that you have a representative in the EU.
Failure to appoint a UK representative can result in large fines (up to £8.7m or 2% of worldwide annual turnover (whichever is greater)).
The role of the UK representative is to act as a local point of contact in the UK for data protection matters in order to:
The UK representative must be appointed in writing and this should set out the terms of your relationship with the UK representative. The role can be fulfilled by an individual or a company or organisation established in the UK; typically law firms or consultancies are appointed.
As its main role is to be the first point of contact for data subjects and supervisory authorities, the UK representative details must be easily available to data subjects (usually this is achieved in the privacy notice) and to supervisory authorities (typically achieved by publishing details on the business’ website).
At Garfield Smith – Technology & Data Lawyers we have many years of extensive experience in helping organisations navigate UK and EU privacy and data protection compliance matters. We also provide a service whereby we act as your UK representative and assist with the matters set out above and with UK GDPR compliance generally. For further information, please email email@example.com or call us on +44 (0)20 7873 2361.