The need to appoint a representative arises from the alteration of UK privacy laws as a result of Brexit (UK GDPR). The amended legislation now requires that any entity which:
- processes the personal data of people located in the UK;
- is based outside the UK, with no UK establishment presence;
must appoint a UK Representative for the purposes of facilitating communications with data subjects, the UK ICO and third parties.
The penalty if you fail to appoint a representative could be a fine of up to €10,000,000 from the UK Information Commissioner’s Office (ICO) or 2% of global turnover whichever is higher.
You may be exempt from the need to appoint a UK Representative, but only if your processing is:
- occasional;
- does not include, on a large scale, processing of special categories of data (such as personal data relating to ethnic origin, religious beliefs, trade union membership and sexual orientation); and
- is unlikely to result in privacy intrusions for the relevant individuals whose data you are processing taking into account the nature, context, scope and purposes of the processing .
Even if you have already appointed an EU Representative under GDPR, unless they are established in the UK, you will also need to appoint a UK Representative.