If your company or startup is doing business in the UK, UK GDPR legislation applies to you. You may also require a UK Representative. Note that, if you are not currently serving customers in the UK, and do not plan to in the immediate future, you do not need a UK representative.
What is GDPR?
The General Data Protection Regulation 2016/679, known as GDPR, is a regulation on data protection and privacy. The laws emanate from the European Union and the European Economic Area, but GDPR’s application is not limited solely to the European region. Since leaving the EU, Britain has adopted its own version of GDPR; the UK GDPR.
What is the UK GDPR?
The UK GDPR is essentially identical to the EU GDPR rules. The main difference is that the UK government has freedom to amend and update the UK GDPR rules, without requiring any involvement or approval from the EU. Companies that do business in the UK must now adhere to the aptly named “UK GDPR”, which operates alongside an amended version of the 2018 Data Protection Act.
💡 Worth checking: The Ultimate Privacy Compliance Guide
The UK GDPR has 8 rights that individuals have over their data
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
👉 Get GDPR support for your business
What is a UK Representative?
A UK representative is a local point of contact based in the UK, who acts on behalf of the organisation that they represent and can help communicate with data protection authorities and individuals (usually customers or data subjects) about data protection matters. An organisation is now required to appoint a UK Representative if:
- The organisation is not established–they do not have an office or base–in the UK and
- The organisation either is offering goods or services to individuals in the UK or is monitoring the behaviour of individuals in the UK
The UK Protection Authority, known as the Information Commissioner’s Office, has confirmed that, although this requirement is not explicitly mentioned in the Data Protection Act 2018, the need to have a UK Representative stems from the UK GDPR rules.
💡Worth checking: how to navigate the UK’s AI regulations
Do UK companies need UK Representatives?
No, UK companies do not need UK Representatives to operate in the UK. However, they still must comply with the privacy laws including the UK GDPR and DPA 2018. A UK Representative is a unique role for businesses established outside the UK who must adhere to UK privacy legislation.
What are the responsibilities of a UK GDPR Representative?
There are two main roles that your UK GDPR Representative holds:
- Your Representative is the point of contact for any and all questions concerning the protection personal data of people located in the UK' data and
- Your Representative is the point of the contact for data protection supervisory authorities
Who must your UK Representative be?
Your UK representative may be either an organisation or an individual. They must be established in the UK. Your UK Representative must be able to represent your business with regards to any UK GDPR obligations, so your representative may operate from a private company, law firm, or a consultancy firm.
📚 Read more: learn the difference between a DPO and an AI Ethics Officer
Do UK GDPR Representatives need to be qualified?
Whilst there is no obligation for your UK Representative to be qualified, it makes sense to choose an individual or organisation that are experienced in interacting with both supervisory authorities and handling data subject requests.
How to appoint a UK Data Representative
You must appoint your UK Data Representative in writing. Your appointment details should set out terms of the agreement, much like a service contract, and state the desired relationship that you wish to have with them. Remember, simply having a UK GDPR Representative will and should set out the terms of your relationship with them. Having a representative will not affect your own responsibility or liability under the UK GDPR.
Notifying your customers of your chosen UK Data Representative
You should make the details of your UK Data Representative available to your customers. You can include the details of your Data Representative in your privacy notices and privacy policies on your website. You can also publish contact details for your Data Representative on your website, giving easy access for supervisory authorities to connect with them over privacy matters concerning your business. You don’t need to inform the ICO of your chosen Data Representative, however the details should be easy to find.
📚 Learn more: what's the difference between GDPR Representatives and DPOs?
When do UK companies need EU Representatives?
In circumstances where UK or any international businesses have dealings or interactions that somehow involve the EU, an EU Data Representative may be required to ensure GDPR obligations are met. Examples of these dealings include instances where businesses offer goods or services or monitor behaviour of EU citizens without having an establishment in the EU. This requirement comes about because of EU law, not UK law. For those businesses, an EU Representative must be sought out.
🔍 Explore more: does your company need a EU Representative to comply with GDPR?
Choosing a GDPR Representative that’s right for you
If your business requires a UK GDPR Representative, Legal Nodes can help. Get ongoing access to privacy advice and help to stay compliant with UK GDPR laws. Discover more here.
Get a UK Representative for your company
.jpeg){kind=avatar}
Vlad is Head of DPO Product @Legal Nodes and a certified (CIPP/E, CIPM, FIP) privacy specialist. He's currently doing a PhD study on the topic of AI and personal data protection.
