3. Assessment of legislation in the third country
The data exporter must assess if the law or practice in the third country may impinge on the effectiveness of the relevant article 46 transfer tool. The assessment will identify whether or not an essentially equivalent level of protection is provided. In the first case, the transfer is permitted, and only re-evaluation and monitoring at appropriate intervals is required. In the latter case, supplementary measures can ensure that an essentially level of protection can be offered.
Actions
The assessment can be partly automated with the use of a datastore that includes the data protection measures taken per country which can be mapped to the GDPR legislation. Automation can monitor the evolution of the legislation and measures within that third country.
4. Identify and adopt the supplementary measures
The data exporter must identify any supplementary measures that could lead to an essentially equivalent level of protection. They can be contractual, technical or organizational and may complement each other. But if the data exporter is unable to find effective supplementary measures, the transfer should not be initiated – or the data exporter must suspend or terminate the transfer if it has already started.
If the data exporter still intends to transfer the personal data, the competent supervisory authority must be notified. And if the transfer is started or continued without an essentially equivalent level of protection in the third country, the competent supervisory authority may impose corrective measures, such as a fine.
Actions
By automating the mapping of the current legislation in the third country and the GDPR, the organization needs to implement the measures which are not already implemented under GDPR. The gap to meet the level of protection as provided by the GDPR is identified from the mapping and need to transform into mitigating measures.
Throughout the process, the risk appetite can be set to the organizations risk level preference in order to make a trade-off and decide on a risk-based prioritization and implementation. We apply scenario-based thinking by reviewing and assessing which technical measures should be implemented to close these gaps. Since many organizations are facing similar situations, transfers and gaps, some scenarios are highly similar. Our library with scenarios and guidance is expanded over time and can achieve economies of scale.
5. Take the necessary formal procedural steps
The data exporter needs to take the formal procedural steps appropriate to the supplementary measures chosen, for example by implementing contractual measures. The formal procedural steps depend on the article 46 transfer tool being used.
Actions
In addition to the measures identified in step four, an organization has to validate whether additional formal steps are needed to transfer data to a specific country. An up-to-date datastore with the formal requirements per country can provide the necessary steps based on the assessment in the RoPa or a separate international data transfer assessment. Identified steps should be documented in a structured way.
There are also specific steps that need to be taken in order to maintain the compliance to the requirements in the long term. The formal procedural steps, such as including the measures in the policy or inform the employees, are outlined and any deviation per country is being specified.