Who needs a UK representative?
According to the Article 27 of UK GDPR your company needs a UK Representative if you don’t have an establishment in the UK and you either:
- Offer goods or services to people in the UK
- Monitor the behaviour of people in the UK (e.g. via website cookies)
How to start working with a UK representative 🇬🇧
Prepare an up-to-date Data Map (also called RoPA, a record of processing activities). Your UK representative is responsible to maintain it and provide to authorities if they request it.
Legal Nodes can help you prepare a Data Map and maintain it as part of the UK representative subscription.
Legal Nodes UK representative subscriptions include
Communication with ICO and data subjects on your behalf
Maintaining your Data Map (RoPA) and providing it to ICO upon request
Consultations with certified privacy specialists (Standard and Custom subscriptions)
You always have access to a dedicated certified privacy professional
You can always add more services if you need (GDPR packages, DPO subscription, consultations)
Tailored to Startups
We work primarily with tech startups and scaleups and tailor our services to their needs
No, a UK representative has a different role to that of a Data Protection Officer. Whilst the two roles are responsible for helping to manage the relationship between a company and both its customers and data protection agencies, they carry out different functions.
Any non-UK company regularly operating in the UK should appoint a UK representative who acts as the face of the business. UK representatives can help a company to comply with UK GDPR and represent their client for any wrongdoings.
A DPO is appointed when a company handles large amounts of data, or especially sensitive data, or if the organisation is a public body. The DPO has key independent oversight responsibilities that they must fulfil. They are a critical piece of the internal workings of a business that handles data.
UK representatives have a much more limited role; they simply represent the company in certain situations. DPO and UK representatives can't be the same person due to the conflict of interest. Read more on the differences between the two roles.
GDPR stipulates that every piece of data processing that a business does, must have a record, all of which are then stored in a record of processing activities, also known as a “RoPA” or “ROPA”.
Once GDPR processes and data have been mapped in compliance with UK GDPR rules, businesses need to present this data map for regulators to review. Regulators then use these RoPAs to get a complete overview of a business’s data processing activities. A correctly built RoPA will enable regulators to view every instance where personal data is processed, why it's processed, and how it is managed within the company. Regulators will refer to these records as “documentation”. Note that the RoPA is not presented before the regulator unless requested.
RoPAs are only required in organisations that have over 250 employees. In some instances, smaller organisations would be required to keep RoPAs. The questions that a business should ask themselves to determine if a RoPA is needed are:
- Could any data processing result in some kind of risk to the rights or freedoms of the data subjects (in most cases, customers of the company)?
- Is there some kind of data processing that occurs consistently, as part of some kind of routine?
- Are there special kinds of data being processed, concerning for instance data on an individual’s racial or ethnic information, their religious beliefs, biometric data, health data or even data related to criminal matters concerning the individual?
- If you are unsure as to whether you need a record of processing activities, book a call with us today to speak to one of our specialists who will help you determine whether your organisation needs ROPA.
A UK representative could be an organisation or an individual. Most importantly, they must be established or based in the UK. As the UK representative is required to effectively represent the business on privacy matters that concern UK GDPR obligations, the representative must hold adequate experience and/or is part of a private company specialising in these services, or a law firm or a consultancy firm.
UK representatives represent businesses that are established outside of the UK but serve UK data subjects or somehow do business in a way that requires them to handle data concerning UK subjects. Therefore, that business must adhere to UK GDPR laws and regulations, and appoint a UK representative.
EU representatives are for businesses operating from outside of the EU and serving EU data subjects. For example, an Indian company serves customers in Germany, France, and Poland. They will require an EU representative. In this instance, only a single representative is required and should be appointed in the country with the largest volume of customers.
Businesses with customers in the UK and the EU should consider getting two separate Representatives. This is because the UK has now left the EU and has its own UK GDPR, so an EU representative cannot represent a business in the face of UK customers. If you do not serve customers in the UK, you do not need a UK representative. Similarly, if before the UK left the EU, the only country you served was the UK, then you need to appoint a new UK representative as the EU representative will be unable to act as a go-between for your business and your UK clientele.
The only case when you'd need appointing both UK and EU representatives is if you were serving both UK and EU customers without having an entity in any of these jurisdictions.
Companies should be wary of not appointing UK representatives; In December 2020, The Dutch Data Protection Authority (DDPA) issued a €525,000 fine to a nonEU website provider who had failed to appoint an EU representative in accordance with Article 27 of the EU GDPR. The DDPA then continued to require the nonEU website €20,000 for every two-week period that the website failed to appoint an EU representative, capping the fine at €120,000. This serves as a stark warning to businesses who require either or both UK and EU Data Representatives; skipping out on a Representative could result in huge financial losses.