Any organisation which sells into the UK or monitors people there, unless they have an establishment (e.g. office) in the UK, will be required by UK-GDPR to appoint a UK Data Protection Representative.
Companies which sell to the UK from outside Europe will, before Brexit, have had an obligation under GDPR to appoint an EU Representative. Now, post BREXIT, this position has changed so that their obligation will now be to appoint a UK Representative instead of an EU Representative (assuming they do not also sell to the EU/EEA – if so, they would need both).
The UK Data Protection Representative is required by Article 30 (implied through the data controllers Article 27 obligations) of the UK-GDPR to hold a copy of their client’s Records of Processing Activities (RoPA) for review by the ICO if they request it.
We also must hold the Article 30 records of our clients securely in preparation for such a request and will let our clients know if and when they are requested by the ICO.
If we receive a data inquiry from a Data Subject or the UK Information Commissioner’s Office. It's our responsibilty to let them know what process is being followed.
We then pass these queries onto our clients.
We also provide general guidance on what actions you should be taking to respond to that inquiry, and the timescales in which to do so.
