How to update your privacy policy and internal documents?

The changes that you may have to make following Brexit will need to be reflected in your privacy policy/information notice towards data subjects, and in your internal policies and your GDPR-related documents.

5.1. The privacy policy/information notice

For the privacy policy/information notice, take the following steps:

• Start by reviewing your current privacy policy.
• Amend it by specifying the new data transfers to the UK and explaining the chosen personal data transfer mechanism, and how the data subject can obtain a copy of the details or more information online.
• Ensure that the privacy policy/information notice is adapted to your target audience, easy to read and drafted in accessible language.
• Make sure that all data subjects are informed about this change.  
• Extra: for UK companies that must appoint a representative following Brexit (see above): add their contact details to your own in the privacy policy/information notice, clarifying their role as a representative for you (the controller). Do not remove your own contact details.

In addition to this, you will have to adapt your other GDPR documents to reflect the changes brought by Brexit. 

5.2. Purely internal documents

For purely internal documents, such as internal policies, compliance evidence etc. that are purely meant for internal management, you can in principle make adaptions in any way you want where they are needed. Nonetheless, you should pay attention to be accurate and consistent, since in the event of an investigation, you are still accountable as a controller under the GDPR and will need to show that you took appropriate action to deal with the impact of Brexit. 

5.3. Other GDPR-related documents

For other GDPR-related documents, specific requirements may apply:

• If you have (sub-)processors in the UK, to which you will send data from the EEA, you will need to adapt the data processing agreement to reflect this and to identify the data transfer mechanism. You will also have to instruct the processor to allow for this transfer. 
• If a controller in the UK is a joint controller together with a controller in the EEA, the joint controller agreement will need to be adapted to reflect the data transfer mechanism used after Brexit, to deal with the potential need for the UK controller to appoint a representative within the meaning of the GDPR, and to address the potential shift in respective responsibilities towards the data subject. 
• For your record of processing activities, you will have to add the information about recipients in third countries and data transfers in accordance with Article 30 GDPR. Controllers must record both categories of recipients in third countries and data transfers to third countries, whereas processors must only record the latter. 

In addition to updating existing documents, you may need to evaluate the need for additional documents. Generally, it will be good to document your efforts taken in the wake of Brexit in order to comply with your obligation of accountability under the GDPR. Moreover, if following Brexit, you must appoint a representative, you will need to conclude an agreement with that entity to ensure its proper function as a representative under the GDPR.

Related

This article is part 5 of a serie of 6 articles about Brexit:

1. Do I have to take into account the GDPR after Brexit?
2. How to identify whether your processing activities are impacted by Brexit?
3. Which personal data transfer mechanisms can you use?
4. How to implement a personal data transfer mechanism?
5. How to update your privacy policy and internal documents?
6. Which supervisory authority is competent after Brexit?