NEWS4 December 2020

Market research companies could need EU data representatives after Brexit

Brexit Europe GDPR News Privacy UK

UK – Market research businesses in the UK will almost certainly need an EU representative for data purposes following the UK’s exit from the union if they work with European personal data, a Market Research Society (MRS) webinar has heard.

Brexit negotiation chess_crop

Speaking at the Brexit and Research: what’s next? webinar yesterday ( 3rd December), Camilla Ravazzolo, data and privacy counsel at MRS, said that EU firms would also need a UK data representative after the end of the Brexit transition period.

Under the EU General Data Protection Regulation (GDPR), personal data encompasses any information that relates to an individual, ranging from name and age to a cookie identifier or an IP address.

The EU GDPR necessitates a representative in the EU if a company is offering goods or services to individuals in the region or is monitoring the behaviour of individuals in the European Economic Area. The representative is the point of contact for personal data issues relating to the company.

Because of the broad range of information that is defined as personal data, Ravazzolo said it is extremely likely that UK firms would need a representative for the rest of Europe after the UK’s departure from the EU on 1st January.

Ravazzolo also said that companies would need to rely on international data transfers safeguards, adequacy decisions and standard contractual clauses (SCC), which cover data transfers between EU member states and non-EU countries, in particular.

Negotiations between the EU and the UK are ongoing ahead of the UK’s departure, with a deal yet to be agreed.

Ravazzolo said: “Personal data is everything that has not been anonymised – pure non-personal data is data on the weather or traffic. Anything not on this level is personal data. Is it pseudonymised? If it is, it is still personal data according to the GDPR.

“According to EU case law, you don’t need to have access to personal data to be defined as a controller. If you are 100% sure you are not processing personal data then fine, but you need to be 100% sure.”

Debrah Harding, managing director of MRS, also said in the webinar: “The reality of what most research practitioners are involved in [is that] they will have personal data at some point. Unless you are just dealing in traffic or weather data, then as a researcher you need to have an EU representative.”

Companies operating in the UK and EU might also need to acquiesce to the demands of two regulators, as negotiations are still ongoing to decide whether the Information Commissioner’s Office (ICO) can retain its  ‘one-stop shop’ status, which allows organisations in the EU to only deal with a single data regulator across member states.

Ravazzolo said that if the ICO did lose this status, companies operating in the UK and Europe would need to keep in mind the requirements of two different regulators, which could differ over time as laws change.

For more guidance on the implications of Brexit for market research, the MRS Brexit hub can be found here. A recording of the webinar is now available here and new guidance is here