Brexit and GDPR: Why Businesses on Both Sides of the Border May Need a GDPR Representative

Today, we have a guest post on the complexities of navigating Brexit and GDPR for companies on both sides of the border- provided by ASSUREMORE.  

ASSUREMORE is a management consultancy business specialising in GDPR compliance – founded by John McVeigh.

To find out more about ASSUREMORE and the services they provide, please click here.

When the General Data Protection Regulation (GDPR) came into force in 2018, it applied uniformly to all EU member states—including the United Kingdom and the Republic of Ireland. However, Brexit changed the game. We now have two parallel regimes:

—  The EU GDPR applies to any organisation operating in the European Union.

—  The UK GDPR applies to businesses operating in the United Kingdom.

Although the laws are nearly identical in principle, they are legally separate. This means that if you’re based in one jurisdiction but process personal data from the other with no local base, you may need to appoint a GDPR representative there. It’s a requirement that many businesses are unaware of or have overlooked, despite it coming into effect as soon as the UK fully left the EU.

“Two Versions of GDPR” in Practice

“Essentially, there are now two versions of GDPR,” explains John McVeigh. “If your business is based in only one jurisdiction but still handles personal data from the other, you’ll likely need a representative. It’s something that was never really spotlighted when Brexit happened—and it catches people out.”

Before Brexit, a company in Northern Ireland selling services to the Republic of Ireland (and vice versa) faced no additional compliance beyond standard EU GDPR. Once the UK left, businesses in the Republic effectively became “outside” of UK legal territory, and businesses in Northern Ireland or Great Britain likewise became “outside” of the EU’s legal territory. As a result, many organisations—large or small, B2C or B2B—now come under Article 27 of the respective GDPR regime.

When Do You Need a GDPR Representative?

Under Article 27 (EU GDPR or UK GDPR), a non-EU or non-UK organisation that processes the personal data of individuals in the other territory may need to appoint an official GDPR representative if:

—  You do not have an “establishment” (e.g. an office, subsidiary, or physical presence) in the territory where your customers or data subjects reside.

—  You are offering goods or services to individuals in that territory (even free services can count).

—  You process personal data that can identify living individuals (for instance, storing “joe.blogs@companyx.com” rather than simply “info@companyx.com”).

If all your data is strictly non-personal (like a generic info@ address or purely anonymous records), or if your activity in the other jurisdiction is truly “occasional” and poses minimal risk, you might be exempt. However, genuine exemptions are rare in practice, especially for consumer-facing businesses or those storing personal details of clients, suppliers, or leads.

B2C vs. B2B

—  B2C: Businesses selling directly to consumers in the other jurisdiction face the highest scrutiny—especially if they store names, addresses, payment details, or marketing preferences of private individuals. Consumers are more likely to exercise data protection rights and file complaints if they feel their privacy is being mishandled.

—  B2B: Even if you primarily serve other companies, you typically store personal data for key contacts—e.g. “john.smith@clientcompany.com”—which means GDPR still applies. The risk of complaints may be somewhat lower, but the legal requirement remains.

The Cross-Border Example

A classic scenario is a manufacturer or retailer in the Republic of Ireland that has always sold products seamlessly into Northern Ireland or Great Britain. Suddenly, that same business is deemed “non-UK” for data protection purposes—even though physically they might be only kilometres away across the border. If they do not have a dedicated office in the UK, they will likely need a UK GDPR representative to handle data protection queries and liaise with the UK supervisory authority, i.e. the Information Commissioner’s Office (ICO).

Similarly, a digital marketing agency in Belfast serving clients or customers in Dublin (and storing personal data for marketing campaigns) could fall under the corresponding EU GDPR rules if they have no office in the Republic. In that case, they need an EU representative so that the Irish Data Protection Commission (DPC) and data subjects in Ireland can communicate with a local contact.

Overlooked but Important

Part of the reason so few organisations realise they need a representative is that Brexit overshadowed smaller (yet crucial) compliance details. Government communications often focused on trade and customs, leaving data protection requirements in the background. Even so, the supervisory authorities on both sides have the legal power to enforce these regulations.

“A company in Dundalk selling tractors into Newry would never have questioned this before Brexit,” says John McVeigh. “Now they might be classed as an ‘international’ data controller in the eyes of UK GDPR, and vice versa for a Belfast outfit selling to Cork.”

How a GDPR Representative Helps

The representative serves as a local presence for handling:

—  Data subject rights requests: EU or UK residents may request access, correction, or deletion of their data.

—  Regulatory enquiries: If a complaint is filed or an audit is triggered, the local authority can contact your representative directly.

—  Documentation: They often keep records of your data processing activities, ensuring you’re prepared if investigated.

Crucially, having a qualified representative (rather than just any local address) can also smooth out compliance challenges and reduce your risk of fines.

Next Steps

1. Check Your Cross-Border Operations: Do you sell, market, or store data for individuals across the border? Assess whether you have a physical establishment there.

2. Clarify Which Regime(s) Apply: Are you subject to the EU GDPR, the UK GDPR, or both?

3. Determine If You’re Exempt: If your activities are genuinely minimal or purely “non-personal”, you might not need a representative. In practice, though, such exemptions are rare.

4. Appoint a GDPR Representative: If you do need one, look for a specialised service. It ensures you’re prepared for data subject requests, regulatory checks, and day-to-day compliance in that territory.

Final Thoughts

Although overshadowed in the Brexit conversations, these dual GDPR requirements are real—and potentially impactful for any organisation, large or small, that processes personal data beyond its own jurisdiction’s borders. If you’re a UK firm with Irish customers or an Irish business tapping into the UK market, it’s crucial to confirm whether Article 27 applies. Skipping this step might leave you vulnerable to investigations, fines, or a damaged reputation if disgruntled data subjects file a complaint.

“It’s often overlooked,” John McVeigh adds, “but the cost of non-compliance can be huge—especially in a B2C context, where you might receive multiple data requests or a regulatory query. Better to be safe and appoint a representative if in doubt.”

Want to Know More about GDPR Representatives?

If you’re unsure whether your cross-border operation requires a UK GDPR or EU GDPR representative, or if you’d like help clarifying your data protection obligations post-Brexit, reach out to a GDPR consultancy or legal advisor. Having a local contact on the ground can save you from unwelcome surprises—and keep your business confidently serving customers on both sides of the border.

Further information is available on ASSUREMORE’s website or on LinkedIn here.