**Updated July 2020**

As Boris Johnson takes office as the newly minted Prime Minister of the United Kingdom (UK), it’s necessary for businesses inside the UK and all over the European Union (EU) to begin taking steps to prepare for the No-Deal Brexit scenario and how it impacts data protection laws like Privacy Shield.

Step One: Mapping Your Data Transfers In and Out of the UK

If you have not mapped your data transfers in and out of the UK yet, you need to begin doing so expediently. We are less than two months away from the Brexit timeline of October 2019, which means your organization needs to undergo all necessary procedures to design a data map. If you have not yet completed a Data Protection Impact Assessment, do so now.

Step Two: Ensure That You Have a Business Need to Collect Data

 A lot of companies unnecessarily collect any personal identifiable information that comes their way. In the past, this practice was accepted; however, with the advent of GDPR, it is improper. You should have a business use case for every piece of data collected—from end-user IP addresses  to the last four digits of credit card numbers.

Step Three: Amend Your Privacy Policy to Add “and the United Kingdom” to Your Privacy Shield Commitment

Your privacy policy should be up-to-date acknowledging the changing political climate of the EU and its relationship with the UK. All Privacy Shield statements in your privacy policy must now reflect the change that the UK will not be a member of the EU in October. This change should go into effect immediately.

Step Four: Ensure Your Privacy Shield Dispute Resolution Provider is in the US or the EU—Not in the UK

If you’re not working with an EU-based or US-based Privacy Shield dispute resolution provider, you need to obtain one at this time. Utilizing a UK-based Privacy Shield dispute resolution provider can and will hamper your abilities to adequately fight decisions made on either side of the Atlantic.

Step Five: Ensure You Understand the UK’s Data Protection Act 2018

Read up on every possible resource available on the UK’s GDPR, decisions that have been made recently by the Information Commissioner’s Office (ICO) and the UK Data Protection Act. Some changes have been made to the UK Data Protection Act and some amendments were accepted as a result of the Privacy and Electronics Communication Regulations (PECR). Make sure that you are abreast on all new rules and regulations — as it could result in substantial fines otherwise.

Step Six: Appoint a Data Protection Officer

If your organization presently does not have a Data Protection Officer (DPO), you need to hire one immediately. Doing business internationally is tricky, but it has never been more warranted than now to have a person with significant understanding of how the organization’s data collection practices are enabled. Assigning one person the authority to respond and make recommendations on behalf of the company is of paramount necessity in this ever-changing landscape.

Understanding the changing business climates in countries around the world is often difficult without a trusted partner on your side. Contact AOTMP® and take a look at our GDPR compliance toolkit pocket guide today to discover how we can assist you with your data protection and security needs.

**Despite the Court of Justice of the European Union’s (CJEU’s) ruling that the EU-US Privacy shield is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US, participants have not been relieved of their obligations as dictated by the EU-US Privacy Shield Framework. The US Department of Commerce will continue to administer the program. Contact your trusted data protection authority or legal counsel for more information.