There are two separate GDPR regimes from 1st January 2021 when the transition period comes to an end. The previous EU GDPR stays as it was but the UK has its own version (which at the moment is largely the same).

GDPR - Data ProtectionThe big change for businesses processing personal data of EU citizens is that you must have appointed a representative based within the EU (which can be a company incorporated in an EU country) in order to act as a contact point for data subjects and supervisory authorities within the EU. You should normally choose the country where you have the closest link and your representative shouldn’t be a person or company carrying out data processing activities for you.

Where possible it is sensible to ensure the representative is a company within your corporate group, as that avoids the need for a detailed services contract (though you should still document the appointment of your representative in writing). If this isn’t possible, then you’ll need to ensure you have sufficient controls and obligations set down in a services contract.

Unfortunately, this also means two supervisory and enforcement regimes – the ICO within the UK and the corresponding authority in the country in which you appoint your representative.

You will also need to ensure any privacy notices/policies are updated to make clear that data subjects based in the EU should contact your appointed representative (rather than you) if they want to exercise any of their rights under the GDPR.

If you want to discuss any aspects of data protection, please do not hesitate to contact Matt Worsnop on 0116 281 6235 or email

Published by

Categorised in: ,

Tags: , , , , ,