Last month, the European Commission adopted new recommendations to help organisations transfer personal data across the world with greater security.
Notably, organisations are now encouraged to incorporate risk-based assessments for personal data transfers that are centred on real-world experience rather than taking a formalised approach.
Organisations’ decisions should take into account the likelihood of government and law enforcement authorities seeking access to data as it’s transferred into the country – an issue that played a major role in the downfall of the EU–US Privacy Shield.
The publication of these recommendations coincides with the release of updated SCCs (standard contractual clauses).
Both the recommendations and the SCCs require a case-specific analysis of data protection law in third-country destinations – although the European Commission’s guidance contains greater detail.
For example, it states that assessments must be made in consultation with legal experts and must include relevant operational technical components related to the transfer.
Organisations’ assessments must demonstrate through “relevant, objective, reliable, verifiable, and publicly available or otherwise accessible information” that problematic legislation will not interfere with a data importer fulfilling its obligations under Article 46(5) of the GDPR.
If the assessment doesn’t demonstrate that, the data transfer must either be suspended or supplemented measures must be implemented.
What does this mean for your organisation?
These recommendations mean organisations will have to assess their GDPR compliance practices, introducing an ongoing assessment of third-country data protection laws.
Organisations should also expect to perform greater due diligence when they wish to transfer personal data to a third country, and gain a greater understanding of the law and practices of those countries.
Some experts have suggested that these recommendations will make way for a standardised approach in the coming months, as organisations and their counsel get used to legal analysis and further guidance is issued by regulatory bodies.
But no matter what that approach will look like, organisations must get used to the idea of greater legal burdens when transferring personal data to third countries.
If you’re looking for support with this, IT Governance is here to help. We offer a variety of consultancy services to ensure you data protection practices are compliant and effective.
Whether you need advice on a specific issue or your compliance practices in general, our team of experts are on hand.