The ICO has issued new guidance setting out key considerations when reviewing privacy notices at the end of the Brexit transition period.
The guidance sets out functional changes to be made such as amending references to 'Union Law' to reflect the correct terminology under new UK data protection legislation. However, post transition period, businesses and organisations that previously enjoyed hassle free personal data transfers from the EU to the UK will now need to ensure that a GDPR approved mechanism is used and this mechanism will also need to be reflected in their privacy notices.
Furthermore, those UK based businesses and organisations who wish to continue with data transfers in the EU but do not have an establishment in any Member State, will be required to appoint an EU representative, details of which will also need to be set out in their privacy notices.
Whilst the substantive information in existing privacy notices is likely to stay the same, businesses will need to be pro-active in ensuring that their notices are compliant with both the GDPR and UK data protection legislation at the end of the transition period.
Information required in your privacy notice is unlikely to change. You may need to:
(a) review your privacy notice to reflect changes to international transfers,
(b) review references to your lawful bases or conditions for processing if any refer to ‘Union law’ or other terminology changed in the UK GDPR, and
(c) identify your EU representative (if you are required to have one)