For the past few months, organisations have been trying to grasp the full extent of this summer’s Schrems II ruling – which invalidated the EU—US Privacy Shield – and what it means for data transfers outside the EU.
To help organisations meet their new requirements, the EDPB (European Data Protection Board) has released a six-step guide, which we have summarised in this blog.
1. Know your transfers
The first step is to get a clear picture of the personal data that you are transferring to a third country, which you can do by creating a data flow map.
This process helps you identify the data you store, the format and location in which it’s held, the lawful basis for processing, who is accountable for protecting it and who has access to it.
Creating a map will take some time, but you can simplify the process with our Data Flow Mapping Tool.
This software enables you to build and edit maps with dynamic drawing tools, and add all the necessary information quickly and easily.
2. Verify your transfer mechanism
Second, you must ensure that the mechanism that you’re using to transfer personal data is adequate.
The first one you should check is whether the country to which you are transferring personal data has an adequacy decisions. These are rulings that state that a country’s data protection practices are comparable in strength to the GDPR, enabling organisations to transfer data freely.
If an adequacy decision isn’t in place, the next most suitable options are SCCs (standard contractual clauses) or BCRs (binding corporate rules).
BCRs apply strictly to multinationals, helping them make intra-organisational transfers of personal data across the EU.
SCCs are more widely applicable. They are legal contracts that outline the terms and conditions for data transfers, and are designed for organisations that participate in two-way data sharing and in straightforward internal personal data transfers.
3. Assess the data protection laws in third countries
Next, you should review whether there are any laws in the country to which you are transferring personal data that affect your processes.
For the purpose of this evaluation, you must focus on relevant national data protection legislation and the Article 46 data transfer mechanism you are using.
Extra emphasis should be placed on this step when the legislation governing access to data by public authorities is ambiguous or not publicly available – as is the case in the US, for example.
The EDPB adds that, for data transfers involving surveillance information, organisations should consult its European Essential Guarantees recommendations.
4. Identify and adopt supplementary measures
The fourth step is to implement any additional measures that are necessary to ensure that data protection provided to your data transfers is up to the EU standard of essential equivalence.
This is only necessary if your assessment reveals that the third country’s legislation impinges on the effectiveness of the data transfer tool you will be using.
You might find that you are required to combine several supplementary measures. Alternatively, there may nothing you can do that would provide an equivalent level of protection – in which case, you must avoid, suspend or terminate the data transfer.
5. Formal procedural steps
Next, you must take any necessary procedural steps required to adopt your supplementary measures.
The EDPB’s guidance contains specific advice on this process, but you may also need to consult your supervisory authority for further guidance.
6. Monitor your measures
Finally, you must evaluate the levels of protection afforded to data transfers at regular intervals and monitor if there have been – or will be – developments that affect your compliance obligations.
Under the GDPR’s accountability principle, organisations must exercise vigilance with all data protection and data privacy requirements, and in the event of a regulatory investigation, supervisory authorities will consider how carefully organisations monitored changing requirements.
Authorities have the power to suspend or prohibit data transfers that are not subject to equivalent levels of data protection.
Get started with data flow mapping
Thousands of organisations were affected by the invalidation of the Privacy Shield – and the ramifications will increase further when the UK leaves the EU at the end of year, making it a third country.
Anyone looking for a way to meet their requirements should look at our Data Flow Mapping Tool.
This software gives you full visibility over the personal data that you hold, enabling you to identify how and where it’s stored, where it is being transferred to and what protections you must implement.