if you are a USA company and you want to do business in the UK the GDPR mandates that you must have a representative office in the EU and after Brexit you will need one in the UK also.

​

If you don't have a Representative office, you cant do business with EU citizens personal data.

​

Not only that but your Representative Office must also be GDPR compliant.

​

For instance, it must be able to service Data Subject Access Rights have compliant policies and procedures have statutory documentation in place concerning process and comply with all the regulations in GDPR such as lawful basis to process data and security considerations.

​

You may also need to officially appoint a Data Protection Officer depending on your size and number of transactions.

​

If you store data of EU Citizens on USA servers you will need to put in model contract clauses or binding corporate rules.

​

If you are member of the USA Privacy Shield this will help but it will not make you fully compliant. 

​

GDPR effectively makes USA companies comply with GDPR by holding the representative offices to account for any actions taken by the USA parent company. The directors of the representative company themselves will be expected to provide information to the regulators and if there actions are shown to be non compliant fines could be levied on the turnover of the whole group of up to 4% of turnover or £20 Million whatever is greater.

​

I can help you navigate the road to compliance.

​

​