Appointing a UK Representative to comply with the UK GDPR

What is the UK GDPR ?

The UK General Data Protection Regulation (the “UK GDPR”) is the main body of law governing the processing of personal data (meaning any information relating to an identified or identifiable natural person (a data subject)) in the UK; it is the UK’s version of the EU General Data Protection Regulation.

The UK GDPR applies not only to UK-based businesses and natural persons who are processing personal data in the UK but also to controllers and processors who have no offices, branches or other establishment in the UK if their processing activities relate to:

  • offering goods or services to individuals in the UK; or
  • monitoring the behaviour of individuals taking place in the UK.

If your business meets these criteria then you are required to appoint a UK representative under Article 27 of the UK GDPR. The requirement does not apply if you are a public authority or your processing is occasional and is of low risk to the data protection rights of individuals and does not involved large-scale use of special category or criminal offence data. It is no longer satisfactory that you have a representative in the EU.

Failure to appoint a UK representative can result in large fines (up to £8.7m or 2% of worldwide annual turnover (whichever is greater)).

What is a UK Representative?

The role of the UK representative is to act as a local point of contact in the UK for data protection matters in order to:

  • represent you regarding your obligations under the UK GDPR and Data Protection Act 2018;
  • deal with data subjects seeking to exercise their rights under the UK GDPR (such as data subject access requests);
  • act as the contact point with the UK’s supervisory body, the Information Commissioner’s Office (the “ICO”); and
  • hold a copy of your Records of Processing Activities (ROPA) for review by the ICO if they request it as required under Article 30 of UK GDPR.

The UK representative must be appointed in writing and this should set out the terms of your relationship with the UK representative. The role can be fulfilled by an individual or a company or organisation established in the UK; typically law firms or consultancies are appointed.

As its main role is to be the first point of contact for data subjects and supervisory authorities, the UK representative details must be easily available to data subjects (usually this is achieved in the privacy notice) and to supervisory authorities (typically achieved by publishing details on the business’ website).

How We Can Help

At Garfield Smith – Technology & Data Lawyers we have many years of extensive experience in helping organisations navigate UK and EU privacy and data protection compliance matters. We also provide a service whereby we act as your UK representative and assist with the matters set out above and with UK GDPR compliance generally. For further information, please email or call us on +44 (0)20 7873 2361.

14 September 2021