• Tim Bell

Brexit - Better Safe Than Sorry

Updated: Apr 11, 2019

Written by Marie Penot, Supervisory Authority Liaison

With less than a fortnight to go until the fateful date of March 29th, the tension in the privacy industry is more and more tangible [NOTE: The potential for a no-deal Brexit has since been delayed, first to 12 April and now to 31 October 2019]. Not only is the fog of uncertainty not clearing over the British Isles, but the rest of the 27 European Member states are either in a state of inertia, adopting a wait-and-see position or they are - in an attempt of flaming rhetoric - trying to shake some sense into the British political class. But from a privacy perspective surprisingly very few organisations on either side are taking the necessary steps to comply with the new situation, considering that there is a good chance that they would become uncompliant with GDPR overnight once the Article 50 deadline expires.

In plain language this means, with a no-deal Brexit, the UK leaves the European Union and turns suddenly into a “third country” for the purposes of GDPR.

There is, of course, the option to stick one's head in the sand and wait for the danger to pass on, but one could also argue that it won't hurt to be prepared.

GDPR says in Article 27 that a controller or a processor which is not established in the European Union shall designate a representative in the Union. Although this discrete Article is usually known to the non-EU privacy community when they are dealing with EU data subjects, privacy professionals in EU member states are often surprisingly unaware.

The Data Protection Authorities have been facing challenges of their own such as under-staffing, or mind-boggling increase in violation and breach reporting, and the UK Information Commissioner’s Office (ICO) has been beyond busy. Even though they are probably the DPA with the most employees, have been amongst the first to publish their implementation of GDPR and are getting media attention in situations such as the Cambridge Analytica case, they have found time to publish guidance on what would happen to data if and when the UK leaves the European Union.

The ICO has a very clear stance on the matter on its website:

  • If you are based in the UK and do not have a branch, office or other establishment in any other EU or EEA state, but you either: offer goods or services to individuals in the EEA; or monitor the behaviour of individuals located in the EEA, then you will still need to comply with the EU GDPR regarding this processing even after the UK leaves the EU.

  • As you will not be an EEA-based controller or processor after exit date, the EU GDPR requires that you must appoint a representative within the EEA. This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing in this way are located.

Meanwhile, European authorities are much less vocal on the matter. The DSK (the joint voice of the 17 official German Data Protection authorities) and the CNIL have published information about what to do in case of a No-deal Brexit, but the guidance deals with the data transfer mechanisms to have in place in case the UK becomes a third country. They advise on updating the privacy policy and the Article 30 records of processing to confirm that a transfer to a third country is occurring and that, if a data subject wants to use their rights, how they should do so; but there is no mention of the need for a Representative on either side of the new EU/UK border.

Therefore, many businesses on either side of the virtual schism are unaware that there was something for them to do in regards to a Representative. It might not be in the mind of a retailer in Bulgaria, a lawyers office in Luxembourg or a mobile app developer in Estonia which deals exclusively with local affairs to think of the need to appoint a UK Representative but, given the likelihood of any business in our interdependent world relying on outsourcing and the free movement of goods and services, that such a business might also touch the UK and process the personal data of individuals there in one way or another.

Controllers need to check with their processor and sub-processors, and act accordingly if they are based in the UK without an establishment in the EU, or based in the EU without an establishment in the UK.

There is still time for those businesses to appoint an EU Representative to be safe - which is undoubtably better than being sorry - and prepare for an increasingly-likely “no deal” Brexit, rather than to let them become inadvertently in breach of GDPR (or the UK equivalent) and at risk of a significant fine.

DPR Group is providing a “No Brexit, No Fee” contract for clients appointing them as EU or UK Representative, with no cost if a no deal Brexit does not occur. Please contact us at brexit@dpr.eu.com for more information.

Marie Penot is DPR Group's Supervisory Authority Liaison. She is fluent in English, French and German and has experience working with many of the data protection authorities in the EU.

Sources :






12 Northbrook Road,





©2019 BY DPR