free webinar

GDPR After Brexit UPDATE: Everything You Need To Get Ready (On Demand)


Join our free webinar with data protection experts Charles Maddy-Trevitt & Rob Masson will be discussing GDPR after Brexit with the particular focus being a topic that brings two monumental benefits to your organization. Firstly, and obviously, achieving compliance will stop you from being hit with fines that could cripple you. The second, less obvious but equally important, is that compliance, having an EU GDPR Representative, opens up a huge section of the market that would otherwise be closed to you. 

What are you going to learn

Register now to watch the webinar


Charles Maddy-Trevitt

UK GDPR Compliance Specialist

UK Market GDPR Specialist
Charles has a background in a wide range of industries and sectors with international experience (US/UK/Canada/EU) in data protection, it’s this knowledge & experience that allows Charles to guide clients through the minefield of data protection regulations, and making compliance, simple.

Rob Masson


Experienced UK data protection specialist, Rob is helping clients navigate GDPR compliance in the face of Brexit.


Yes, you would need both. An EU Representative AND a UK rep. This might change during the negotiations. But right now the scenario would be that due to Article 27 you must appoint both. That representative would need to be established in a member state where you process the majority of the data. 

The GDPR does not state where a DPO must be located, it states that the DPO must be easily accessible from each establishment.


A UK DPO in a European company would be fine. The EADP has recommended that organisations processing data in both the UK and EU should appoint a DPO in the EU, however this is not a requirement of the regulation. Smaller organizations who have one DPO right now should be able to continue with one DPO.


If you do decide to move the location of your DPO, you must inform the lead or relevant Supervisory Authority(ies) of their contact details.

No, there should be no impact.  The “reasonable technical and organisational measures” expectation of Article 32 remains unchanged, as do the Individuals’ rights in terms of the right to be forgotten etc.  The Article 5 principles of the EU and the UK GDPR will remain the same, everything you are doing now under the EU GDPR, you should continue doing under the UK GDPR.

Currently all personal data moving from the EU/UK to the US is governed under the Privacy Shield framework agreed to by the EU and the US. The Privacy Shield is designed to ensure the free flow of personal data between the EU and US while at the same time obligating US companies to implement similar protections for EU’s residents’ data as that offered by the GDPR.

The EU/US Privacy Shield will still apply to the UK up until the end of the transition period (currently 31st of December 2020), therefore it is essentially business as usual until then. After this time, the UK has stated that it will recognise the Privacy Shield framework as adequate for UK to US personal data transfers.


From the end of the transition period however, US organisations certified under Privacy Shield will need to confirm they have extended their public commitment to state that their adherence to the Privacy Shield principles has been extended to include data received from the UK.  Therefore only a relatively simple update to the appropriate public facing privacy policy is required.  The required model language can be found here.


UK companies should confirm that Privacy Shield certified organisations that personal data is transferred to have made these updates and that they renew their certification annually


Entities that rely on Privacy Shield for transferring personal data from the UK should keep these requirements (and all other Privacy Shield requirements) in mind when reviewing their compliance materials for Privacy Shield recertification.

Yes, it is still allowed.  The scenario is no different to now for when those same employees are travelling to any other (non-adequate) country outside of the EU.  You would be expected to implement appropriate technical and organisational measures to safeguard the data being processed between you and the employee.

In order for the Article 3 extra territorial scope of the GDPR to apply, subjects need to be ‘resident’ in the EU.  This therefore also includes non-EU citizens who are living/resident in the EU.  If the subject you describe (whilst being an EU citizen) is resident in a non-EU country (as the UK will be), then the EU GDPR would not apply to that subject.  The UK GDPR would however apply.  If you are based in (say) Spain, but processing data on a UK resident (from Spain), then you would caught by the extra territorial scope of Article 3 from the UK GDPR.  

The ICO are not necessarily the only authority that can impose a penalty, as should an issue affect a large number of data subjects in a particular member state, then the authority in that state may require their involvement.  However the specific purpose of the one-stop-shop is to significantly reduce the need for more than one authority to be involved.  Remember that the ICO can no longer be your lead authority after the 31st of December 2020, so you will need to nominate a authority from the remaining 27 member states.