[This alert was updated 4/12/19 to reflect the latest developments.]
The deadline for the United Kingdom to leave the European Union continues to be a moving target, with the latest extension placing Brexit no later than October 31, 2019, (Halloween). Whatever the final date, Brexit need not be a frightful event, as there are steps your company can start to take to prepare its global privacy program now. Here are five things you can do:
1. Update your privacy policy for transfers from the UK to the U.S. under Privacy Shield.
The good news is that companies can continue to use Privacy Shield for UK to U.S. data transfers provided they update their privacy notices and other applicable policies to expressly state that their commitment includes the United Kingdom (for example, by adding “and the United Kingdom”). See: Privacy Shield and the UK FAQs. Where human resources data is being transferred from the UK to the U.S. under the Privacy Shield, update your HR policy too.
Organizations must modify their policies before the UK exit date. If an organization does not take this step, it will not be able to rely on the Privacy Shield Framework to receive personal data from the UK after the UK withdraws from the EU.
2. Review your data transfers between the UK and the EU using model clauses.
Is your UK organization directly receiving personal data from the EU? If so, once the UK leaves the EU, it stands to lose its “adequacy” finding. Confirm that your agreements between entities include the standard contractual (or model) clauses. Many vendors, like AWS, already rely on the model clauses in addition to Privacy Shield (See AWS and Brexit). If you’re not sure, reach out to your vendors and start with your high-risk, high-volume transfers.
3. Confirm that your lead supervisory authority is in the EU.
Companies with a main establishment in the EU using the UK ICO as a “one stop shop” must nominate a new lead supervisory authority in an EU country such as Ireland.
4. Confirm that your EU representative is in the EU.
Is your EU Representative in the UK? Generally, companies without an EU establishment, which offer goods or services or monitor the behavior of data subjects, must find and appoint an EU-based representative.
5. Stay Tuned.
Although Brexit seems inevitable, the exit date is a complicated, highly politicized decision, and there’s an outside chance the UK and EU can agree to a transition period up to December 2020, giving companies more time to adjust. Either way, updating your privacy policies is the smart move now.
If you have any questions, please reach out to your Fenwick advisor.
* Ginny Bartlett is a senior privacy and cybersecurity advisor at Fenwick & West.