Considerations for Updating your Data Maps Post-Schrems II
In July 2020, after the historic ruling in the Schrems II case, invalidated the EU-US Privacy Shield, many organizations were required to immediately re-evaluate their data transfer practices, re-think their data strategy, and means to transferring personal data outside of the EU. While the initial Schrems II case also argued that the EU Standard Contract Clauses (“SCCs”) did not constitute an adequate level of protection of personal data, the Court of Justice of the European Union (“CJEU”) upheld the validity of the SCCs, and therefore the use of SCCs to transfer personal data outside of the EU. In one of our recent blogs posted in July titled A Closer Look at Implementing EU Model Clauses and Binding Corporate Rules (“BCRs”), our team navigates the reasons that led us to the ruling and explores alternative solutions to the Privacy Shield, such as the implementation of the SCCs as an allowed mechanism under the General Data Protection Regulation (“GDPR”). In this blog, our team presents what organizations should do to ensure that data transfers are in line with GDPR.
Organizations which relied on the Privacy Shield should have previously created an enterprise data map showing what data the organization collected, processed, and maintained; however, most organizations still need to carefully examine what safeguards are in place to secure personal data. Organizations will need to take some significant steps to ensure that the appropriate safeguards and additional measures are in place to protect personal data when transferring data across borders.
To do this, organizations should begin by reviewing their data privacy programs. Organizations should review and update the existing data maps to ensure data flows remain accurate and are based on current operating models. Accurate and complete data maps are the foundational starting point. Without a concrete understanding of how data is being collected, used, and shared, it will be challenging to implement and adapt to the rules per the SCCs. The following are key points for organizations to consider:
- Revisit all existing data maps: In reviewing the organization’s data maps, it is important to revisit and identify the entities and departments that have access to personal data and the countries from which personal data is transferred or collected from. Parallel to this, review and update the categories of personal data being transferred and collected. Organizations need to ensure the new transfer entity has valid transfer mechanisms in place and leverage existing technical controls, such as data encryption, data access, and security controls to protect the data.
- Update your inventory of vendors: Identify any vendors in your data ecosystem that relied on the Privacy Shield as the means to transfer data to the US. It is important for organizations to understand what personal data transfers have been covered under the Privacy Shield. Once identified, organizations will need to review current agreements with these vendors, negotiate and update data processing agreements to include valid SCCs requirements to continue to transfer EU data safely to the US. Accordingly, update data maps to reflect these vendors and data transfers.
- Update the organization’s intra-group cross-border data transfers: Organizations with current intra-group data transfers agreements, especially for transfers of personal data from the EU to outside the EU, should re-evaluate existing obligations to ensure that agreement continues to provide appropriate safeguards in relation to the data transfers. Where no agreement is in place, organizations should identify the types of personal data being transferred and the relationship (e.g., controller-to-controller, controller-to-processor) and ensure the applicable SCCs are applied.
It is important to recognize that any data transfers under the Privacy Shield now constitute a breach under GDPR, and therefore, organizations should assess the adequacy of the level of protection surrounding the transfer outside the EU and implement new measures along with SCCs that ensure rules protecting personal data continue to apply regardless of where the data lands.
With globalization, transfer of personal data is the normal and necessary practice; however, as regulations continue to change data transfer of personal information is no longer a straightforward process. And as such, managing personal data is not an easy lift for most organizations.
Our team of experts can help you gain deeper insight into all the organization’s data flows, including identifying vendors, business partners, internal groups, and any safeguards in place to protect the data. Being able to identify how data moves internally and externally is key to ensure compliance with the GDPR and therefore ensure that SCCs are valid.
An organization can only effectively do this with a comprehensive Privacy Compliance Assessment that identifies and inventories all personal data they store, process, transfer, and use about an individual to demonstrate compliance with the GDPR and SCCs requirements.
Interested in talking more about privacy and data protection? Get in touch with us.