The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Brexit affected the GDPR Representative obligations for three organisational types:
1.) UK Based organisations providing goods or services to the EU, with no physical EU office
2.) International organisations providing goods or services to the EU, whose only EU office is located in the UK
3.) All organisations (including those in the EU) providing goods or services to the UK with no UK office
GDPR still applis to UK based organisations, and additional representation obligations apply to those organisations meeting the criteria above.
GDPR is enforced and the ICO, the UK data protection regulator is strictly monitoring compliance and issues record-breaking fines to organisations that were found to have caused infractions of the new law.
If you process data about individuals in the context of selling goods or services to citizens in other EU countries and you are UK-based with no EU Office
You will need to appoint an EU Representative.
For example, your office is located in England and you provide goods or services to clients in Italy then you would need to appoint an EU Representative in Italy
f you’re an organisation that’s based outside of the UK and has no physical office in the UK but provide goods or services to the UK then you will need to appoint a UK Data Protection Representative.
For example, your organisation is either based in the USA or Spain and you provide goods or services to UK based customers, then you will need to appoint a UK Data Protection Representative.
GDPR still provides a clear baseline against which UK business can seek continued access to the EU digital market.