By many accounts, the United Kingdom will leave the European Union and European Economic Area as early as April 12, 2019. What does the UK’s exit (Brexit) mean for your global privacy program and what do you need to do? Here are five things you can start now.
The good news is that companies can continue to use Privacy Shield for UK to U.S. data transfers provided they update their privacy notices and other applicable policies to expressly state that their commitment includes the United Kingdom (for example, by adding “and the United Kingdom”). See: Privacy Shield and the UK FAQs. Where human resources data is being transferred from the UK to the U.S. under the Privacy Shield, update your HR policy too.
Organizations must modify their policies before the UK exit date (which could be as early as April 12, 2019, if there is no transition period). If an organization does not take this step, it will not be able to rely on the Privacy Shield Framework to receive personal data from the UK after the UK withdraws from the EU.
2. Review your data transfers between the UK and the EU using model clauses.
Is your UK organization directly receiving personal data from the EU? If so, once the UK leaves the EU, it stands to lose its “adequacy” finding. Confirm that your agreements between entities include the standard contractual (or model) clauses. Many vendors, like AWS, already rely on the model clauses in addition to Privacy Shield (See AWS and Brexit). If you’re not sure, reach out to your vendors and start with your high-risk, high-volume transfers.
3. Confirm that your lead supervisory authority is in the EU.
Companies with a main establishment in the EU using the UK ICO as a “one stop shop” must nominate a new lead supervisory authority in an EU country such as Ireland.
4. Confirm that your EU representative is in the EU.
Is your EU Representative in the UK? Generally, companies without an EU establishment, which offer goods or services or monitor the behavior of data subjects, must find and appoint an EU-based representative.
5. Stay Tuned.
Although Brexit seems inevitable, the exit date is a complicated, highly politicized decision, and there’s an outside chance the UK and EU can agree to a transition period up to December 2020, giving companies more time to adjust. Either way, updating your privacy policies prior to April 12, 2019, is the smart move now.