Brexit and Privacy Shield

  • Estados Unidos
  • 11/01/2019
  • Robert Bond

With the planned Brexit date looming (29 March 2019), now would be a good time for US-based companies/organisations with United Kingdom (UK) operations to consider whether or not any third party vendors in the US, that receive personal data from the UK operation, have adequate arrangements in place for receiving personal data from the UK once it has left the European Union (EU).

Whilst your own company may not be a member of the Privacy Shield Framework, if your UK operations use third party vendors who do rely on the Framework for UK-US data transfers, it would be prudent to approach those vendors before March to check what their plans are in the event that Brexit goes ahead as planned.

When does action need to be taken by?

If there is a transition period (currently anticipated to last from 29 March 2019 – 31 December 2020) then organisations including third party vendors will need to take action before the end of the transition period. However, if there is no transition period then action will need to be taken by 29 March 2019, less than three months away.

What steps need to be taken?

There are two main action points for companies in the US that will continue to receive personal data from the UK:

a) Update of privacy policy – the policy will need to be amended to state specifically that the organisation will comply with Privacy Shield requirements when receiving personal data from the UK (instead of/in addition to the EU and/or Switzerland). For model language, see the Privacy Shield Framework official website.

b) Update of HR policy – if an organisation plans to receive Human Resources (HR) data from the UK then it will also need to update its HR policy, using the same wording as for the privacy policy. If it does not plan to receive HR data then it only needs to comply with step (a).

Organisations should note that if they do not take the above steps by the applicable deadline then they will no longer be able to rely on the Privacy Shield Framework to receive personal data from the UK after either 29 March 2019 or, if there is a transitional period, after that period ends. On the other hand, where organisations do maintain an up to date Privacy Shield commitment, they should be aware that they are committing to comply and co-operate with the UK Regulator (the Information Commissioner’s Office) in addition to the EU Data Protection Authorities panel.

For more information, access