The end of the Brexit transition period is now upon us. Whilst the EU General Data Protection Regulation (EU GDPR) is retained in domestic law with minimal amendment, the so-called 'UK GDPR' has some key changes that organisations need to consider to ensure compliance beyond 31 December 2020. One such issue is whether an organisation needs to appoint a data protection representative in the EU and/or UK.
Digital services providers also may need to appoint a representative in the EU and/or UK in relation to the Network Information Systems (NIS) Directive. An organisation can have the same EU/UK NIS as its EU/UK GDPR representative.
EU GDPR Representatives
You will need to appoint an EU GDPR representative if you do not have an European Economic Area (EEA) establishment and if you:
- process individuals' personal data who are located in the EEA; and
- offer goods/services to those individuals in the EEA or monitor their behaviour.
EU GDPR representatives must be:
- set up in an EEA state where some of the individuals whose personal data you are processing are located;
- able to represent you regarding your obligations under the EU GDPR (e.g., a law firm, consultancy or private company); and
- authorised by you in writing to act on your behalf regarding your EU GDPR compliance and deal with any supervisory authorities or data subjects in this respect.
UK GDPR Representatives
Beyond 31 December 2020, if you will be processing personal data of individuals in the UK in relation to offering goods or services to, or monitoring the behaviour of, individuals in the UK, but you have no office, branch or other establishment in the UK, you will need to comply with the UK GDPR in relation to such processing.
You will need to appoint a UK GDPR representative. The representative you appoint must be:
- established in the UK;
- able to represent you regarding your obligations under the UK GDPR (e.g., a law firm, consultancy or private company); and
- authorised by you in writing to act on your behalf and deal with the Information Commissioner's Office (ICO) and data subjects in relation to your UK GDPR compliance.
You may need a UK GDPR representative, in addition to an EU GDPR representative, if you have no physical presence in either the UK or EEA.
You will not need to appoint either an EU GDPR representative or UK GDPR representative if:
- you are a public authority; or
- your processing is only occasional, of low risk to individuals' data protection rights and does not involve large-scale use of special category data (e.g., health data) or criminal offence data.
Whereas the EU GDPR concerns protection of personal data in the EU, the NIS Directive concerns the security of systems in the EU. The NIS Directive was implemented in the UK with the NIS Regulations 2018 and will continue to apply in the UK after 31 December 2020, subject to some minor changes. Whilst the NIS Regulations apply to operators of essential services and relevant digital service providers (RDSPs), the changes will apply only to RDSPs.
You are an RDSP if you:
- provide an online search engine, an online marketplace and/or a cloud computing service;
- have 50 or more staff, or a turnover or balance sheet total of more than €10 million per year;
- have your main establishment (i.e., head office) in the UK or have nominated a representative in the UK or EU; and
- offer services in the EU.
If you are a UK-based RDSP offering services in the EU:
- You will no longer have an establishment in any EU Member State; you will need to appoint a NIS representative in one of the EU Member States you operate in.
- Your EU NIS representative will be under the jurisdiction of the Member State where you offer services and will act on your behalf with the regulators and competent authorities.
- Your EU NIS representative can be the same as your EU GDPR representative.
- When appointing an EU NIS representative, you should:
- confirm their appointment in writing;
- follow the formal process set by the country you are working in; and
- tell the ICO that you have appointed a representative in another country.
- If you have establishments elsewhere in the EU, you will be deemed subject to the jurisdiction of the EU Member State where your main EU establishment is and you will not need a representative in the EU for the purposes of the NIS Directive.
If you are an EU-based RDSP offering services in the UK:
- You will need to appoint a NIS representative in the UK by 31 March.
- Your UK NIS representative will act on your behalf in fulfilling your legal obligations under the NIS Regulations and be the point of contact for the UK's ICO and/or National Cyber Security Centre.
- Your UK NIS representative can be the same as your UK GDPR representative.
- You must confirm your UK NIS representative's appointment following the ICO's registration process. This involves telling the ICO if your organisation:
- has a head office in an EU Member State;
- has nominated a representative in an EU Member State;
- is complying with equivalent legislation in another country; and
- is operating an NIS located outside the UK.
- You must follow the NIS Regulations in addition to any domestic or EU NIS rules that you are required to follow.
Penalties for a Breach
- GDPR. If an organisation does not appoint a GDPR representative when required to do so, it will be in breach of the relevant regulations and could face fines of up to €10 million or 2 percent of its total worldwide annual turnover (whichever is more), as well as potential claims from individuals whose data the breach concerns.
- NIS Directive. EU Member States set their own penalties for non-compliance with the NIS Directive. In the UK, the ICO can fine up to £17 million for non-compliance.
Over the next few weeks, Katten will follow up with additional analysis on post-Brexit GDPR compliance. See our advisory, "Key Areas of Change to Data Protection Laws Post-Brexit," for more details.
Georgina Vale, a trainee solicitor in the Intellectual Property group, contributed to this advisory.