** Updated July 2020**

The United Kingdom’s (U.K.’s) exit from the European Union (EU) – whenever it occurs – could create data privacy uncertainty on an entirely new scale. While the EU-U.S. Privacy Shield Framework currently governs U.K. personal data collection practices for U.S. businesses, it’s important to understand these rules could change any day.

So, can you continue to rely on Privacy Shield participation to support current personal data collection practices? The short answer is yes – for now. The longer answer, as you might expect, is a little more complicated…

The Future of U.K. Personal Data Collection Practices

In light of recent developments, the Brexit timeline has been pushed back to January 31, 2020 due to a mutually agreed-upon withdrawal extension period. For you, this means the next few months offer a ‘business as usual’ sign of relief. The U.K. will remain an EU member state until this date, leaving all applicable EU data collection laws in place until then.

After that, however, is when things get tricky. While both parties have preliminarily agreed to a December 31, 2020 departure date for the U.K., this resolution has not yet been formalized. In other words, this timeline is subject to change at any moment’s notice.

Should this date stand, the U.K. and EU will facilitate a transition period during which current EU law, i.e. Privacy Shield, will continue to apply to the personal data of all U.K. citizens. The European Commission’s affirmative decision on the regulation’s protections will continue to apply to your personal data collection and transfer practices. That’s good news for everyone involved, as it means no further action will be needed for any U.S. participant until 2021.

If, however, both sides fail to finalize an official agreement that upholds this departure date and transition period, your timeline accelerates. Your Privacy Shield participation will be nullified immediately after the U.K.’s earlier departure date, and your personal data collection practices will need to meet the standards outline by the U.K.’s Department of Commerce instead.

Your Privacy Shield Updates Can’t Wait

Whether you have until 2021 or not, one thing is certain – your personal data collection practices will need to change if you continue to do business with U.K. consumers. So why wait until the last minute to make them?

While the nature and scope of your data privacy requirements may be unique, all current Privacy Shield participants can make two immediate changes to ensure a smooth transition:

1. Your organization must update its public commitment to include the U.K. in its Privacy Shield commitment

All disclaimers, organizational boilerplates, and legal language must be updated to state that its personal data collection practices and policies have been extended to include U.K. citizens’ information. If you plan to continue relying on Privacy Shield to receive HR data from the region, your HR privacy policy must also be addressed. For example:

(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield.  (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

2. You must maintain a current Privacy Shield certification and recertify annually as required by the current Framework

Without this commitment, you won’t be able to rely on the Privacy Shield Framework to receive personal data from the U.K. after its departure from the EU. This means cooperating and complying not only the EU Data Protection Authority panel as current requirements dictate, but the U.K.’s Information Commissioner’s Office (ICO) as well.

Regardless of whether or not you’re prepared for Brexit’s data privacy updates, this is the first of many changes your organization will need to make if it wishes to collect, store, and use personal data going forward. Enroll in AOTMP® University’s Introduction to Data Privacy Course to prepare your team for tomorrow’s data management practice today!

**Despite the Court of Justice of the European Union’s (CJEU’s) ruling that the EU-US Privacy shield is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US, participants have not been relieved of their obligations as dictated by the EU-US Privacy Shield Framework. The US Department of Commerce will continue to administer the program. Contact your trusted data protection authority or legal counsel for more information.