The UK Has Its Own GDPR Now. Your EU Representative Does Not Cover It.

For four years after Brexit, a comfortable myth went around among companies selling into Europe: sort out the GDPR once, appoint an EU representative, and Britain is somewhere inside that arrangement. It is a tidy idea. It is also wrong, and the gap it leaves is the kind that stays invisible until a regulator in London, not Brussels, is the one asking who speaks for you.

Here is what actually happened. When the UK left the European Union it did not leave the GDPR behind. It kept it, copied the text into domestic law, and called it the UK GDPR. So there are now two regulations carrying nearly the same words, enforced by two different sets of regulators, and both of them contain Article 27, the rule that forces companies outside their borders to appoint a local representative. If your business reaches into both markets from outside both, the EU representative you already arranged is doing half the job.

Two regulations wearing almost the same name

The split is recent and it is clean. The Brexit transition period ended on 31 December 2020. From 1 January 2021 the European GDPR stopped applying to the UK as EU law, and the UK GDPR took its place, sitting alongside the older Data Protection Act 2018. The drafters did not reinvent anything. They lifted the EU text, swapped the institutional references, and kept the substance, including the territorial reach in Article 3 and the representative duty in Article 27.

That copy and paste is exactly why the confusion spreads. The two laws read the same, so people assume they are the same. They are not. They are two parallel regimes with two enforcement bodies. The EU GDPR answers to the supervisory authorities of the member states, the French CNIL, the Irish Data Protection Commission, and the rest. The UK GDPR answers to the Information Commissioner's Office in Wilmslow. An appointment that satisfies one of them has no standing before the other.

When the UK GDPR reaches a company outside Britain

The trigger is the same shape as the EU one, which makes it easy to learn and easy to forget. The UK GDPR applies to a controller or processor with no establishment in the UK when two things are true. You offer goods or services to people in the United Kingdom, paid or free, or you monitor the behaviour of people in the UK, which covers analytics, tracking, remarketing and profiling. And that processing is more than occasional.

If that describes you, Article 27 of the UK GDPR asks you to designate a representative established in the United Kingdom, in writing, as the point of contact for the ICO and for people in the UK. There is no revenue floor and no headcount floor. A small subscription business with British customers is caught the same way a large one is. The only genuine escape is the narrow carve out the EU also uses: processing that is occasional, low risk and free of large scale special category data, plus the exemption for public authorities.

Why your EU representative does not stretch across the Channel

This is the heart of it. A representative is a jurisdictional contact, not a global one. Your EU representative is established in a member state and is reachable by the EU supervisory authorities and by people in the EU. That is the entire scope of the role. It gives the appointment no reach into the UK, no relationship with the ICO, and no standing under the UK GDPR. The UK representative is the mirror image, established in Britain, answerable to the ICO, and silent on everything the EU authorities care about.

A representative speaks for you to one regulator in one jurisdiction. Two jurisdictions that both kept Article 27 is two conversations, and nobody can be in both rooms at once.

The same logic that European guidance uses to keep the representative and the data protection officer apart applies here between the two representatives. Each one exists to be addressed by a specific authority. You cannot collapse a UK contact and an EU contact into a single appointment any more than you can make one office sit in two countries.

The companies that now need one of each

The dual requirement does not hit everyone. It hits a very common profile. A company based in the United States, Canada, Australia or anywhere outside Europe, with no office in the EU and no office in the UK, selling to customers or running tracking across both. Before Brexit, one EU representative covered the United Kingdom as part of the Union. After Brexit it does not, and the second appointment quietly became necessary without anyone sending a reminder.

If you are a UK company looking at this from the other direction, the same split runs the other way. A British business with EU customers and no EU establishment now needs an EU representative of its own, which is the situation we cover on the EU representative for UK companies page. The post Brexit reality is symmetrical: the border that used to be invisible inside the GDPR is now a real line, and Article 27 sits on both sides of it.

Whether either duty actually applies to you starts with the same question the EU version does. The decision guide in do I need a GDPR representative walks through the EU test, and the UK test runs in exact parallel, swapping the EU for the UK at every step. If you are still untangling the representative role from the data protection officer role while you are at it, EU representative vs DPO clears that up.

Getting both right without doubling the headache

The practical answer is not complicated, it is just two appointments instead of one. You need a contact established in the EU and a contact established in the UK, each named in your privacy notice, each reachable by its own regulator and by the people it serves. The mechanics of a valid appointment, the written mandate, the records you keep available, and the privacy notice wording, are the same on both sides, and you can read how the EU side works on the how to appoint a representative page.

A quick word on where Usantis sits today, because the honest answer matters more than the convenient one. We appoint your EU representative now, the full Article 27 service for the European side. UK representation is being built and is not live yet. So if you are caught by both regimes, the move that makes sense is to close the EU gap today and put your name down for the UK side as it comes online, rather than wait for both and leave the larger market uncovered in the meantime.

So no, the UK is not tucked inside your EU arrangement, and it has not been since the start of 2021. It is a separate regulation, with a separate regulator, and its own copy of the rule that says a company outside its borders needs someone inside them. Treat the EU representative as the European half of the answer, because that is what it is, and plan for the British half as a second, deliberate appointment. The two markets stopped being one a while ago. The compliance has to catch up to the map.