- Amend it by specifying the new data transfers to the UK and explaining the chosen personal data transfer mechanism, and how the data subject can obtain a copy of the details or more information online.
- Make sure that all data subjects are informed about this change.
In addition to this, you will have to adapt your other GDPR documents to reflect the changes brought by Brexit.
5.2. Purely internal documents
For purely internal documents, such as internal policies, compliance evidence etc. that are purely meant for internal management, you can in principle make adaptions in any way you want where they are needed. Nonetheless, you should pay attention to be accurate and consistent, since in the event of an investigation, you are still accountable as a controller under the GDPR and will need to show that you took appropriate action to deal with the impact of Brexit.
5.3. Other GDPR-related documents
For other GDPR-related documents, specific requirements may apply:
- If you have (sub-)processors in the UK, to which you will send data from the EEA, you will need to adapt the data processing agreement to reflect this and to identify the data transfer mechanism. You will also have to instruct the processor to allow for this transfer.
- If a controller in the UK is a joint controller together with a controller in the EEA, the joint controller agreement will need to be adapted to reflect the data transfer mechanism used after Brexit, to deal with the potential need for the UK controller to appoint a representative within the meaning of the GDPR, and to address the potential shift in respective responsibilities towards the data subject.
- For your record of processing activities, you will have to add the information about recipients in third countries and data transfers in accordance with Article 30 GDPR. Controllers must record both categories of recipients in third countries and data transfers to third countries, whereas processors must only record the latter.
In addition to updating existing documents, you may need to evaluate the need for additional documents. Generally, it will be good to document your efforts taken in the wake of Brexit in order to comply with your obligation of accountability under the GDPR. Moreover, if following Brexit, you must appoint a representative, you will need to conclude an agreement with that entity to ensure its proper function as a representative under the GDPR.
This article is part 5 of a serie of 6 articles about Brexit:
- Do I have to take into account the GDPR after Brexit?
- How to identify whether your processing activities are impacted by Brexit?
- Which personal data transfer mechanisms can you use?
- How to implement a personal data transfer mechanism?
- Which supervisory authority is competent after Brexit?