GDPR UK Representative service tiers
1 - 10
251 - 500
501+ employees or multiple entities
£750 annually when you buy online
£1,250 annually when you buy online
£1,750 annually when you buy online
£1,250 annually when you buy offline
£1,750 annually when you buy offline
£2,250 annually when you buy offline
Under the UK GDPR data controllers and processors based outside the UK offering goods or services to, or monitoring the behaviour of, UK data subjects must appoint a UK representative.
The UK representative acts as a local contact for data subjects and the ICO in relation to all issues arising from the processing of personal data.
Not sure if you need an EU Representative? Our EU and UK GDPR Representative Advice Service can help you.
GRCI Law will serve as your UK representative, in compliance with Article 27 of the UK GDPR.
Download the UK Representative service description to learn more.
View a list of customers for whom GRCI Law act as UK Representative
Under the EU GDPR, data controllers and processors outside the EU offering goods or services to, or monitoring the behaviour of, data subjects in the EU must appoint an EU representative. All UK organisations that do not have a presence in the EU should consider appointing an EU representative. There are limited exceptions to this, depending on the volume and type of data you are processing or whether you are a public body or authority. However, the extent to which exceptions apply has not yet been tested.
Learn more about out EU representative service
Led by our team of experienced DPOs (data protection officers), data privacy lawyers and cyber security experts, we deliver efficient, expert-driven services.
This service applies to single-entity organisations with between 1 and 500 staff. The service can be delivered to organisations in any sector or industry.
For organisations with more than 500 employees or multiple entities, we can provide a bespoke solution to meet your requirements. Please contact us to discuss your needs.
Please note that this service does not include advice or guidance on Article 30 records of processing activities.
Why is it cheaper to buy online?
Our administrative costs of processing an online purchase are much lower than for an offline purchase and we pass those savings on to you.
What does a UK representative do?
The UK representative’s role is to ensure that individuals (data subjects) and the UK’s data protection authority, the Information Commissioner’s Office (ICO) have a mechanism which allows them to communicate with organisations. A key driver behind this is to make sure that UK residents will be able to contact the data processors and controllers who hold their personal data in a quick, efficient and simple way.
Put simply, under Article 27 of the UK GDPR if your organisation has no business presence in the UK you need to appoint an UK representative if:
What does monitoring the behaviour of individuals mean?
Monitoring or “profiling” within the GDPR framework means anything you do that involves the automated analysis or predicting of behaviour of individuals, their movements, personal preferences, health, economic situation etc.
Are there any exceptions to this?
There are limited exceptions to this, depending on the volume and type of data you are processing or whether you are a public body or authority. However, the extent to which exceptions apply has not yet been tested.
When should I put this in place?
Since the 1st January 2021 the UK is no longer a member state of the European Union so organisations that don’t have a business presence in the UK but are marketing to the UK or monitoring the behaviour of people in the UK now need a UK representative. In some cases you may also need to appoint an EU representative. For example if your organisation is based outside Europe and the UK and your EU representative was previously based in the UK.
Why is it important to act now?
As details of the UK representative need to be easily accessible, typically in your privacy documentation, - for example your customer facing privacy notice or published on your website - it is obvious if you have failed to meet your Article 27 obligations. If you are in breach of Article 27 you may face fines of up to ten million Euros or 2% of your global turnover.
What is included in the service?
We act as a communications conduit between data subjects and your organisation and the ICO, provide you with a UK representative email address, wording to insert into your privacy notice (s) and hold an up to date copy of your Article 30 record of processing activities, as required by Article 27. We pass any enquiries from data subjects or the ICO to you to deal with.
This is an annual fixed fee service. Our pricing is based on the size of the organisation and we charge per entity.
Do I need a separate UK representative for all the companies in my group?
We can provide a UK representative for all group entities, but we charge based on the number of entities that need to be included.
Do you charge extra depending on the number of data subjects our organisation deals with?
No, we charge a flat fixed fee based on the size of your organisation.
Does the UK representative need to be registered?
It is not required under the regulation but you need to make details of your UK representative easily accessible, for example in your privacy notice or by publishing details on your website.
What should my Article 30 Record contain?
The Article 30 record is a key document for GDPR compliance and should document what data you are processing and why, where data is stored, the volume of data you are dealing with and how it is moving through your organisation. If don’t have an accurate picture then you may not be aware of where your compliance gaps are and where you might be in breach of the GDPR. You also need to have one readily available in case a data protection authority asks to see it.
Our organisation has less than 250 employees am I required to have an Article 30 record?
The exemptions are very limited and haven’t been fully tested. Without an accurate and up to date record of processing activities it is difficult to be assured that you are compliant. It is best practice to have one and we strongly recommend all clients have one and keep it up to date.
Will you review or advise us on our Article 30 Record?
The GRCI Law team can help you with this but it is not included in this service. We would be happy to talk to you about your specific requirements.
How soon do you need my Article 30 Record?
Ideally, as soon as you sign up or as soon as possible.
If a data subject contacts you, do you deal directly with the query?
We pass all enquiries from data subjects to you to deal with along with any enquiries from data protection authorities.
Would you provide the Article 30 record to a data protection authority without consulting us?
We would contact you first before responding to a request from the ICO.
Enjoy the benefits of paying by purchase order with an GRCI Law corporate account. Apply online today or call our service centre team on +44 (0)333 900 5555
Led by our team of experienced DPOs (data protection officers), lawyers, barristers, and information and cyber security experts, we provide DPO, breach, data privacy management, and data subject access request support, and associated non-reserved legal services.
We offer legal risk and compliance consultancy advice that you can trust, but without the burden of administrative duties and expenses that law firms must bear in order to carry out certain ‘reserved legal activities’, such as litigation, conveyancing and advocacy.
If you have any queries or you’re unsure of how to progress, please get in touch with our team of experts who will be able to assist with your enquiry and provide guidance options.