Deadlines and penalties are approaching with the European Union decision known as Schrems II. We help global organizations manage these changes and challenges.
The Schrems II decision invalidated Privacy Shield — a common way to legally transfer personal data from the EU to the US used by thousands of companies with operations in the US. These organizations now have a tight timeline to identify a new transfer mechanism or risk fines of up to 4 percent of worldwide revenue. Many of these companies are turning to Standard Contractual Clauses, which just got an overhaul by the European Commission.
Given the huge amount of data flowing between the EU and US, enterprises are scrambling to understand how to accommodate all the legal changes and potentially manage updates to volumes of vendor contracts.
We’ve designed our approach around the EDPB’s six-step roadmap for data transfers:
European Data Protection Board’s six-step roadmap for data transfers
Know your transfers
Identify transfer tools
Assess effectiveness of transfer tools
Adopt supplementary measures
Take procedural steps
Re-evaluate at appropriate intervals
Source: Recommendations by the European Data Protection Board, adopted on Nov 10, 2020
Unlike other privacy consultants, we partner with global law firms such as Taylor Wessing, covering dozens of jurisdictions with 1000s of lawyers to give you the best possible solution for your transfer needs.
To stay compliant with EU data privacy laws, organizations must:
New SCCs must be implemented within 3 months after publication on any new transfer (e.g., by September 2021). There is only an 18-month period to update all existing vendors to the new SCCs.
This unbudgeted burden falls on under-resourced contract management teams who are saddled with outdated vendor management processes and potentially poor vendor data. Costs will climb as the need for legal assistance grows. Plus, you will need to keep your executives in the loop about possible significant disruptions to the business.
As experienced privacy project managers, we use a proprietary methodology to help rapidly respond to the near-term problems of:
Our process can help future-proof the vendor management process and applicable systems in anticipation of additional changes to privacy requirements that will likely occur in future. We’ll help you capture where personal data is transferred, assess data transfers for permissibility, and see to it that internal and external stakeholders are engaged throughout the process.
Have questions about the Schrems II decision or the new SCCs? Let us help.