Schrems II remediation: Where are we a year on?
Since the Schrems II decision invalidated the EU-US privacy shield, organisations have known they need to take a good look at their data transfers and ensure they’re safe. It’s now been a year since we initially explored what the ECJ ruling meant, so what’s changed and how can businesses move forward?
The European Commission (EC) published updated Standard Contractual Clauses (SCCs) in June. And they’ve created real urgency to act, giving organisations just three months (up to 27 September 2021) before the legacy SCCs cease to be valid for new contracts, and 18 months (up to 27 December 2022) to review and fully migrate all existing arrangements to the new SCCs. The EC has also reiterated that organisations will need to conduct Transfer Impact Assessments (TIAs) by the end of 2022, as per Schrems II.
At the same time, the UK’s Information Commissioner’s Office (ICO) announced it was working on its own International Data Transfer Agreement (IDTA), rather than endorsing the new EU SCCs. While the ICO documents released for consultation are a promising indication of what’s to come, there’s no certainty about what the IDTA will look like and what deadlines the ICO will impose.
This has left organisations with the tough task of figuring out how to manage both, without quite knowing how they’ll differ. And that becomes significantly more challenging in complex contexts, such as intra-group transfer agreements that involve both EU and UK transfers.
Amid the uncertainty, organisations need to decide how to set up their Schrems II programmes from both a legal and compliance perspective. To gather executive sponsorship and get themselves to a position where they can meet existing and upcoming deadlines, organisations should focus on three key actions:
1. Tackle immediate challenges
The initial deadlines to create and implement new SCCs seemed reasonable. But we’re seeing third parties already reaching out with new SCCs, so it’s crucial for your compliance and data protection teams to provide interim guidance about how to respond coherently.
Organisations also can’t wait for the final UK IDTA to act. The September 2021 deadline is already upon us. So, they must set their new SCCs now, ready for any new contracts.
Such activities require resources, but data protection teams are likely already swamped with BAU activities, so will struggle to tackle a strategic programme of this size. Creating a business case for focusing on new SCCs and guidance will be critical to securing stakeholder involvement and resources, and, therefore, long-term success.
2. Start with what you’ve got and build on it
Your Schrems II programme can only be successful and sustainable if your ‘privacy foundations’ are solid, namely your third party and transfers governance framework. You must answer difficult questions around your risk appetite, approach to third party assurance and governance model. Do you have senior stakeholder buy-in? Have you determined what to tackle first? Based on what criteria? Have you provided clear guidance to the business? What information do you need to be gathering to fulfil TIAs? How can you create efficiencies (such as with a library of countries)?
The Record of Processing Activities (RoPAs) you keep as part of GDPR compliance is likely to be the best place to understand your data transfer landscape and start identifying restricted transfers. And this is a great opportunity to tackle two (or more) birds with one stone – you can use the SSCs as an excuse to revisit your RoPAs to ensure they’re up-to-date, complete and actionable. Start by reviewing your RoPA template to test if you’re collecting all the information you need.
To perform TIAs effectively, as well as to comply with pre-contractual obligations, link them to your vendor assessment (VA), using automated tools where possible. You can enhance your VA by including the information required to assess the transfer, decide whether the SCCs/IDTA are likely to be enforceable and check there are appropriate protections in place from third-party access.
This approach reduces the number of assessments you’re performing and provides the information needed to implement SSCs and TIAs, and you’re more likely to spot gaps requiring remediation. It’s also easy to hide the new section of the VA if the transfer isn’t restricted.
3. Think long term and holistically, making sure to build in flexibility
Schrems II programmes are likely to require considerable effort and resources, so it’s crucial to set up solid foundations to ensure long-term sustainability. Organisations will need to consider how to embed other privacy requirements alongside the new SCCs to avoid multiple contract updates running consecutively.
And, as TIAs are dynamic documents, organisations must review them both periodically as part of BAU and anytime something significant changes. Setting up the monitoring process now, as well as the KPIs to report against, will ensure all the effort and resources dedicated to the programme will deliver value.
Last but not least, setting up your privacy management system for success by enabling centralised collaboration, tracking and documentation of work, is key to getting the data to track success and demonstrate accountability.