In the short period since the Court of Justice of the European Union (CJEU) handed down judgment in the “Schrems II” case on the 16th July, much ink has been spilled writing about the legal ramifications of the CJEU’s conclusions and the future of dataflows from the EU including the resulting legal burdens on data exporters and data importers. Compounding the uncertainty are the expected updates to the Standard Contractual Clauses (SCCs) by the European Commission to bring them into line with the EU General Data Protection Regulation (GDPR). These revisions are also likely to be impacted by the CJEU’s judgment.

Amid this uncertainty, it is important to cut through the noise and maintain perspective, which means focusing efforts and resources on the things that can be controlled. While the concept of localising or regionalising data storage solutions in the EU may be a consideration, the reality is likely to have many Chief Technology Officers waking in a cold sweat at the thought of both the costs and complexities involved and the potential impact on operational stability.

Organisations should instead use this period as an opportunity to formulate a defensible position in this area by:

• understanding the potential risk exposure;
• revisiting existing privacy and data protection controls, and;
• focusing on operational compliance areas to mitigate these risks where possible.

This process may include validation of data flow mapping and records of processing activities, reviewing current data sharing protocols, while determining the effectiveness of contractual measures and compliance monitoring around the outsourcing of core processes and procurement of systems and services.

While organisations will always face a risk of domestic and overseas state authorities requesting data disclosure, taking a proactive approach by ensuring there is an organisational policy and defined protocol in place will help manage and mitigate risks associated with such requests. Where appropriate, data minimisation measures, use of pseudonymisation or techniques such as differential privacy, could be applied to data sets in those exposed jurisdictions which give rise to particular concern or risk from forced disclosure.

How will this impact the organisation?

The implications of the ruling on organisations have been well-documented. But while the potential for enforcement action from the Data Protection Authorities or class action lawsuits by individuals cannot be discounted, it is important that communication to senior management on the implications of the ruling are undertaken in a measured way by focusing on what can be controlled rather than the ‘what ifs’.

Any response should take account of immediate priorities, be thoughtful and proportionate, and enable senior management to commit budget and resources to mitigate any potential exposure. Senior executive concerns are likely to centre on the implications for existing business models, IT infrastructure and the impact on clients, as well as the associated costs. Key considerations of most relevance will be those relating to the use of existing outsourced relationships, business operations and data hosting which involve the export and/or import of personal data to/from the EU. With Brexit added to the mix, potentially impacting on data transfers between the EU and the UK from January 1st, many businesses can be forgiven for wondering when the uncertainty will end.

Practical response

Organisations can take a measured approach to evaluate the extent of their exposure to the ramifications of the CJEU’s ruling and to take practical measures to mitigate and manage their cross-border data transfer risks.

Step 1 - Evaluate: Prioritise and review processing operations involving international transfers of personal data

• Use or develop Article 30 record of processing activities as a starting point to identify processing operations involving international transfers from the European Union;
• Classify and prioritise international transfers according to the volume and type of data processed, the sensitivity of the data involved and the frequency of transfers;
• Distinguish intra-group data transfers from transfers to external parties;
• Prioritise transfers reliant on business-critical vendors and systems such as cloud computing and infrastructure storage solutions; and
• Triage processing operations according to the countries in which more voluminous data transfers are made.

Step 2 - Respond: Review international data transfer mechanisms used in prioritised processing operations, document potential risk and determine additional measures

• Evaluate the responsibilities of the parties involved in the transfers such as controller-controller, controller-processor etc. and the potential extent of their exposure to data disclosures outside of the data exporter’s control;
• Determine existing transfer mechanisms for key processing operations and review their suitability by conducting a transfer impact assessment;
• Prioritise processing operations with transfers based on the EU-US Privacy Shield or SCCs and identify potential alternative means for legitimising transfers, e.g. derogations, or additional safeguards e.g. encryption or anonymisation;
• Record potential risks involved in the transfers for relevant processing operations in the transfer impact assessment;
• Initiate remediation and mitigation actions where practicable, e.g. review and updating of high-risk vendor contracts.

Step 3 - Risk Management: Review and update international data transfers and vendor risk management policies and procedures

• Develop a clear data disclosure policy defining protocols to be taken where the organisation is acting in the role of data exporter and/or data importer;
• Ensure vendor risk assessment criteria includes evaluation of enhanced data security controls and protocols for responding to and managing disclosure requests from domestic and overseas state law enforcement and intelligence authorities;
• Modify standard data protection contract terms used in supplier contracts to include enhanced data security undertakings and the presence of organisational protocols for managing data disclosure requests;
• Implement a risk-based approach to categorise risks posed by individual countries informed by publicly available information and regulatory guidance taking into account the adequacy criteria defined in Article 45(2) of the GDPR; and
• Review and update privacy impact assessment (PIA) and vendor risk assessment questionnaires to ensure there is due consideration of exposure to potential regulatory data disclosure requests through the vendor and third-party supply chain going forward.

Step 4 - Monitor: Maintain watching brief

• Monitor guidance from the European Data Protection Board (EDPB), EU Member State Data Protection Authorities and other industry groups on approaches to regulating international data and update policies and procedures as and when necessary.

How A&M can help

A&M’s consultants work to understand and manage your international data flows and advise on the most appropriate approach to manage the associated risks.

Understand and improve current state exposure

• Work closely with cross-functional stakeholders to identify processing operations involving large-scale data transfers and involving critical vendors;
• Adopt a risk-based approach to categorise and prioritise processing operations involving third party suppliers and vendors in the supply chain; and
• Identify and review the suitability of existing transfer mechanisms, in particular SCCs, Privacy Shield (or successor framework), Binding Corporate Rules (BCRs) and GDPR derogations, for intra-group and external data transfers.

Privacy and data compliance improvement

• Holistic assessment of existing privacy and data protection framework to enhance the ability to identify international transfers and manage risk;
• Design and implement procedures for identifying, recording and categorising processing operations involving international transfers and the transfer mechanisms underpinning them;
• Assess existing Privacy Impact Assessment and vendor risk assessment frameworks and procedures and advise on improvements; and
• Develop organisational policies and procedures for handling external disclosure requests in a balanced, proportionate and consistent manner.

The A&M Differentiator

A&M’s privacy and data compliance practice focuses on supporting clients to navigate the evolving and complex data protection regulatory landscape to develop and implement solutions to address these challenges.

The practice brings specialist advisory and consulting services on international and cross-border privacy, data protection, secrecy and related laws and sectoral rules. Professionals within the practice include former consultants, regulators, data protection officers and certified information privacy professionals who are skilled at aligning and implementing complex regulatory requirements within operational processes and settings.