If you trade to or use services in the USA involving the transfer of any personal data, have you considered the effect of Brexit on such transfers?

If you are relying on the US Privacy Shield as the appropriate safeguard for the transfer of personal data, in essence, with effect from the “exit day”, US organisations that wish to use to Privacy Shield to allow it to receive personal data from the UK must update their public privacy shield commitment statement to include the UK (as well as a statement that the organisation intends to receive HR related data, if applicable).

As regards the “exit day”, with a transition period, the deadline to update privacy notices will be 31 December 2020. If there is no transition period, the deadline will be the date that the UK actually withdraws from the EU.

The US organisation will also need to maintain a current privacy shield certification, including an annual re-certification.

If these steps are not taken, the organisation will not be able to rely on the privacy shield framework to receive transfers of personal data from the UK after the exit day.

However, this will not just be an issue for the US organisation.  The UK organisation, whether as a controller or processor, will not be able to make the transfer of personal data to the US in compliance with its duties under the Data Protection Act 2018 and UK GDPR without another safeguard in place.

UK businesses and organisations should also monitor developments regarding the Privacy Shield as the regime is currently being reviewed by the EU.