ICO Issues Guidance on Privacy Notices Post-Transition Period


The ICO has issued new guidelines that set out important considerations when reviewing data protection notices at the end of the Brexit transition period.

The guidelines contain functional changes that need to be made, e.g. B. changing references to “Union Law” to reflect correct terminology under the new UK data protection laws. After the transition, businesses and organizations that previously easily transferred personal data from the EU to the UK will now need to ensure that a GDPR-approved mechanism is used, and that mechanism needs to be reflected in their privacy notice.

In addition, UK-based companies and organizations that wish to continue data transfer in the EU but do not have a branch in any Member State must appoint an EU representative, the details of which must also be provided in their EU state data protection notice.

While the content information in existing privacy notices is likely to stay the same, companies will need to proactively ensure that their notices comply with both GDPR and UK data protection regulations at the end of the transition period.

It is unlikely that the information required in your privacy policy will change. You may need to:

(a) Review your privacy policy to reflect changes in international transfers.

(b) review references to your legal bases or conditions for processing when references to “Union law” or other terminology changed in the UK GDPR, and

(c) Identify your EU representative (if you need one).