Many UK firms which do not have an EU-based location may become GDPR non-compliant when the Brexit transition period ends on the 31st December 2020. This is because many small to medium size organisations are unaware of the requirements stipulated in Article 27 of the GDPR.
What is Article 27 and why should UK businesses be aware of it?
Article 27 of the GDPR relates to “representatives of controllers or processors not established in the Union” and sets out obligations that organisations without a presence in the EU have regarding data on EU subjects. In short, if you use data on clients, customers, or prospects in the EU but you don’t have a presence in the EU, Article 27 requires that you must appoint an EU-based representative. Until the Brexit transition period ends, UK businesses are not in breach of the legislation but after the 31st December 2020 it is likely that many businesses will unwittingly become non-GDPR compliant. Failure to take steps to address non-compliance could potentially lead to substantial fines or class-action type lawsuits from data subjects in the EU.
Maintaining compliance after Brexit
The majority of UK based businesses will have taken some, if not all, of the steps required to ensure that their processes were updated in line with the initial implementation of the GDPR in May 2018. Many businesses will have hired expensive GDPR consultants to help them assess and update their systems and to train internal stakeholders. However, as the UK was still a part of the EU in the lead up to the activation date for the GDPR, it’s likely that many consultants will not have taken the time to highlight the legislation in Article 27. Afterall, the UK was an EU based country at the time and therefore had no legal obligation to appoint an EU representative, as it was already a part of the EU.
When the UK negotiated the withdrawal agreement and set the date for its exit (31st January 2020), it effectively activated what is often referred to as the “hidden obligation” of GDPR for UK based businesses. Previously, the obligation of Article 27 only applied to non-EU countries such as the USA, Canada and Australia (and only where businesses within those countries processed data on EU citizens but without an EU establishment). Larger organisations within countries such as these are less likely to be non-compliant because they are more likely to have a presence within the EU. Many small to medium size organisations, on the other hand, are highly likely to fall foul of this legislation, mainly because it is not very well-known and only likely to be drawn to the attention of business owners who have hired expert data protection lawyers to assess their infrastructure.
UK businesses concerned about non-compliance with GDPR after Brexit should therefore ask themselves, “am I continuing to use data on EU subjects after the Brexit transition ends but I don’t have a physical establishment within the EU?”. If the answer to that question is “yes” then it is recommended that the business owner should appoint an EU representative to maintain compliance.
Is this legislation likely to be enforced after Brexit?
The short answer to this question is “yes”, particularly in cases where companies experience a data breach and are found to be non-compliant after an investigation of the breach. The Information Commissioner’s Office (ICO) will continue to enforce GDPR after Brexit and failure to comply with the regulations could expose your business to substantial fines of up to €10M Euro or 2% of global revenues. You may find the ICO’s Brexit FAQs PDF a useful reference point.