From 1 January there will be a UK version of the GDPR.
If you are a ‘Data Controller’ [you decide what is done with personal data and how it is processed] or a Data Processor [you act upon instructions] based outside of the UK and you do not have any offices, branches or other establishments in the UK but you are offering goods or services to individuals in the UK or monitoring the behaviour of individuals in the UK then you may need to appoint a UK representative.
You will need to put in place an appropriate written mandate for that representative to act on your behalf. Information about the representative should be provided to data subjects, for example, in your privacy notice. It should also be made easily accessible to the UK data regulator – the Information Commissioner’s Office – for example by publishing it on your website.
You will need to authorise the representative, in writing, to act on your behalf regarding your UK GDPR compliance, and to deal with the ICO and data subjects in this respect.
DPA/OK can represent you regarding your obligations under the UK GDPR
You will need to provide the individuals whose personal data you are processing with our details. This may be done by including them in your privacy notice or in the upfront information you give them when you collect their data.
An EEA based sales firm does not have offices in the UK, but has a regular client base in the UK. The firm must appoint a UK representative to act as its direct contact for data subjects and the ICO.
You do not need to appoint a representative if either:
you are a public authority; or
your processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.
If you are not sure about any aspect of appointing a representative, please contact DPA/OK