1. What is the GDPR and UK GDPR exactly?
The General Data Protection Regulation (GDPR) is the EU's data privacy and security laws. Its intent is to protect the personal data of EU citizens everywhere around the world. The GDPR is very complex in itself, however a thorough summary supported by the EU can be found here. You have to be aware that every EU member state has their own data privacy regulation, adding additional legislation to the GDPR. This constitutes sometimes in different obligations for your company per EU member state.
Even though the UK departed from the EU, the regulations of GDPR still apply only in a different legislation. The UK adopted their own equivalent of the GDPR, the UK GDPR. This is the Data Protection Act (2018), amended post-Brexit by the Data Protection, Privacy and Electronic Communications (EU-Exit) Regulations 2019. This legislation has the same regulations as the GDPR including the obligation to appoint a representative in the UK.
2. I already have a Data Protection Officer (DPO). Why do I need to have a Data Protection Representative (DPR)?
According to Article 27 of the GDPR and UK GDPR every non-EU or non-UK company without an EU establishment (or UK establishment in case of the UK GDPR) is required to have a DPR. The obligations of a DPO differ from that of the DPR. Whereas a DPO has to perform his or her duties independently, a DPR can only act under the explicit instructions of your company. Also, a DPO oversees the strategy and compliance of the GDPR in your company and trains your employees. A DPR acts as the local point of contact for your EU customers and supervisory authorities.
3. Why can't the DPO fulfil the rol of the DPR?
The European Data Protection Board has shed light into this matter in Guidelines November 2018 version 2. In short, being a DPO and a DPR at the same time can result in a conflict of interest. Therefore both roles need to be fulfilled seperately.
4. What will happen if I don't have a DPR?
If you don't have a DPR it is possible you can be fined by a data protection authority. The GDPR and UK GDPR are designed to make non-compliance a costly mistake. There are two tiers of fines:
Less severe infringements could result in a fine leading up to €10 million or 2% of the worldwide revenue.
Severe infringements could result in a fine leading up to €20 million or 4% of the worldwide revenue.
Not having a DPR is seen, according to Article 83 of the GDPR and UK GDPR as a less severe infringment.