Six steps organizations can take to comply with Schrems II

A new ruling requires organizations to ensure data protection equivalent to GDPR beyond EEA countries when sharing personal data.

In July 2020, the Court of Justice of the European Union decided in the Schrems II case, among others, that the United States does not ensure an “essentially equivalent level of protection” as provided in the European Union (EU) for transfers of personal data. 

The case also has consequences for data transfers to all countries outside of the European Economic Area (EEA): the transfer of personal data to “third” countries cannot be a means to weaken or water down the protection afforded in the EU. To act in accordance with the General Data Protection Regulation (GDPR), organizations must comply with the Schrems II ruling – otherwise, they can expect fines of €20m (US$23.9m) or up to 4% of the total worldwide turnover of the preceding financial year.

How organizations should align with Schrems II

Data controllers and processors (“the data exporter”) must assess whether the level of protection required by the GDPR is respected in the third country concerned. If not, they should assess whether supplementary measures can ensure the essentially equivalent level of protection. The European Data Protection Board (EDPB) has clarified these supplementary measures, requiring the data exporter needs to document a roadmap of six steps. Here’s how you can follow them.

1. Know your international data transfers

The data exporter must know (i.e. map and record) its transfers to non-EEA countries, including the onward transfers of its processors. According to the EDPB, knowing your transfers is an essential first step to fulfill the obligations under the accountability principle. 

A data discovery solution can support in identifying the information in such a transfer. The register of processing activities and the obligation to inform the data subjects can assist in mapping out all transfers. Transfers that do not (or no longer) appear to be adequate, relevant or necessary must be ceased.

Actions

In addition to employing a data discovery solution, the record of processing registers should be updated and maintained to have insight in (international) data transfers in combination with the identified type of data. The necessity of non-EEA personal data transfers should also be established. Data scanning tools can support in the automation of the evaluation of contracts.

3. Assessment of legislation in the third country

The data exporter must assess if the law or practice in the third country may impinge on the effectiveness of the relevant article 46 transfer tool. The assessment will identify whether or not an essentially equivalent level of protection is provided. In the first case, the transfer is permitted, and only re-evaluation and monitoring at appropriate intervals is required. In the latter case, supplementary measures can ensure that an essentially level of protection can be offered.

Actions

The assessment can be partly automated with the use of a datastore that includes the data protection measures taken per country which can be mapped to the GDPR legislation. Automation can monitor the evolution of the legislation and measures within that third country.

4. Identify and adopt the supplementary measures

The data exporter must identify any supplementary measures that could lead to an essentially equivalent level of protection. They can be contractual, technical or organizational and may complement each other. But if the data exporter is unable to find effective supplementary measures, the transfer should not be initiated – or the data exporter must suspend or terminate the transfer if it has already started. 

If the data exporter still intends to transfer the personal data, the competent supervisory authority must be notified. And if the transfer is started or continued without an essentially equivalent level of protection in the third country, the competent supervisory authority may impose corrective measures, such as a fine. 

Actions

By automating the mapping of the current legislation in the third country and the GDPR, the organization needs to implement the measures which are not already implemented under GDPR. The gap to meet the level of protection as provided by the GDPR is identified from the mapping and need to transform into mitigating measures. 

Throughout the process, the risk appetite can be set to the organizations risk level preference in order to make a trade-off and decide on a risk-based prioritization and implementation. We apply scenario-based thinking by reviewing and assessing which technical measures should be implemented to close these gaps. Since many organizations are facing similar situations, transfers and gaps, some scenarios are highly similar. Our library with scenarios and guidance is expanded over time and can achieve economies of scale.

5. Take the necessary formal procedural steps

The data exporter needs to take the formal procedural steps appropriate to the supplementary measures chosen, for example by implementing contractual measures. The formal procedural steps depend on the article 46 transfer tool being used. 

Actions

In addition to the measures identified in step four, an organization has to validate whether additional formal steps are needed to transfer data to a specific country. An up-to-date datastore with the formal requirements per country can provide the necessary steps based on the assessment in the RoPa or a separate international data transfer assessment. Identified steps should be documented in a structured way.

There are also specific steps that need to be taken in order to maintain the compliance to the requirements in the long term. The formal procedural steps, such as including the measures in the policy or inform the employees, are outlined and any deviation per country is being specified.