This post is a continuation of our pragmatic advice on dealing with the consequences of the recent Schrems II judgement of CJEU, that have invalidated the Privacy Shield and put in question the way organisations transfer data outside of the EU/EEA.
We are focusing on practical steps that the organisation should take internally as a reaction to the Schrems II judgement.
We’ve said it before: the end of
Safe Harbor Privacy Shield is not the end of the world. The last time a transfer mechanism got invalidated it happened with much less fanfare, but we still lived to see a new one come and go.
Our advice – don’t panic, don’t listen to those who tell you to cancel your contracts, but DO come up with a plan and tackle the challenge.
Some steps to go through
Step 1: Inform your internal stakeholders
Hopefully, you are underway here and you had some discussions already, but some people that you must reach to include:
- The top management and Board: the Schrems II decision has been vastly publicised, even if your top management does not have a keen interest in privacy they have heard about it. Explain the essence of it but mostly focus on the impact on your organisation:
How are we affected and what do we need to do (CEO)? Does it affect operations (COO)? Consequences for your tech stack (CTO) Is there a budget consequence (CFO)?
- The teams who have interest and impact on the follow-up: privacy work is interdisciplinary and understanding your contracts and data flows will be so. Procurement and tech teams are the allies that will need to be on board. Security and legal (depending on your organisation setup) are other likely participants.
Again, explain what effort is required of them and how much time and effort do they need to expect to put into this matter.
Step 2: Get in control (of your transfers)
Your critical task is really to understand which of your data flows are affected. In a beautiful world that requires a look into your perfectly kept Records of Processing Activity. There you should be able to see all of the locations of your data and also the legal basis for the transfer.
If your Records do not give you that comfort you probably need to dig into your tech stack and your contracts (again dependent on whichever is easier for you).
An outcome should be a list of all the services and flows that you have that include transfer and the mechanisms that you rely on. Give yourself some extra credit whenever you still used Safe Harbor!
Step 3: Prioritise
Not all of your vendors are created equal! And neither are all the transfer mechanisms (or countries for that matter).
Looking at your list decide what to tackle first, look at it from several perspectives:
- Transfer mechanism:
Privacy Shield is clearly no longer valid, SCCs require more work, but also other legal bases of transfer will need a treatment similar to that of SCCs. Privacy Shield creates an immediate urgency so it will automatically get on top of your list, but other bases will also require additional work.
Which of the personal data and which data subject categories are you transferring? See both the amount of personal data entries, as well as criticality – is the data sensitive, are you passing on e-com data. Is it data of customers, or employees?
Here take into account what is the likelihood that this data is interesting from the perspective of national security? (but no need to do an in-depth assessment yet, you just want a quick and dirty prioritisation).
- Business Criticality:
Which systems are nice-to-haves and which are business-critical? If suddenly you were asked to stop the transfer how big of a risk is this to your day-to-day operations?
- Transfer location:
While it is the United States that currently are in the focus it does not mean that you can forget about other countries – again no need to make a thorough analysis but some thoughts about surveillance and availability of redress to data subjects will help you assign priority.
Between those different aspects, you probably have a good impression of what goes on top of your list – now it’s time to send out some emails and pick up a phone.
Step 4: Reach out to your vendors
Just as above not all transfers are created equal also the vendors will differ in their approach. Among your list are surely vendors that have been working on this issue for a long time and may have already offered a new solution: a siloed EU location, a new set of SCCs together with a review of the request they received from national security agencies. Other, especially smaller vendors might be unaware of the issue and you might need to drive the conversation.
Push for a review and talk to the vendor on what is the best way forward.
Step 5: Amend your contracts
Step 4 will probably lead to some interesting discussions – and ultimately to a bit of back and forth, still, the last point should be an amendment to the contract. As a tip consider adding a clause that obliges your processor to always find an alternative transfer mechanism should Max Schrems decide to strike again.
The process will require dedication and time but it will get your organisation to where it needs to be. In case you struggle to get resources for this unexpected activity, reach out to us. We have experienced privacy experts who can help you drive this process efficiently.