Schrems II: A catalyst for evolving data privacy practice
This blog has been co-authored by Sophie Rothbarth and Michael Erras
In July 2020, claimant Max Schrems emerged victorious from the Court of Justice of the European Union (CJEU) which declared the Privacy Shield transatlantic agreement invalid. The judgement stopped the free flow of personal data between the EEA, UK, and the United States, embedded risk assessments into the rules on international data transfers, and set out stricter requirements for the transfers of personal data based on standard contractual clauses (SCCs).
This ruling has far-reaching implications for data transfers beyond the UK and European Economic Area. Far from only impacting the use of SCCs (as is often perceived), the finding will require significant effort from financial organisations across the data transfer process. Organisations must ensure that the data subject is granted an equivalent level of protection to that guaranteed by GDPR and, if necessary, introduce additional measures to make up for gaps in third country legal frameworks. If such measures cannot be implemented, operators must suspend the transfer of personal data outside the UK and EEA.
UK firms should not wait for the release of the full Information Commissioner Office (ICO) guidance. There is sufficient information to identify actions to be taken now and to evolve existing privacy practices.
Identifying existing data transfers is the basis for a Schrems II remediation project
The keystone for good data protection practices is to understand what personal data is held and how it is processed. With Schrems II remediation in mind, organisations must capture what transfers are taking place including the categories of personal data involved and recipient countries and a thorough data mapping exercise should be undertaken to identify all personal data flows. While the GDPR record of processing offers a reasonable start for this exercise, it often typically lacks key information or may need to be revalidated to ensure accuracy. Firms therefore need to plan and resource a comprehensive data mapping project to capture detailed information, including where the data is transferred to, accessed from (typically overlooked), and where the data is ultimately stored. This can then be supplemented by information covered in the Records of Processing Activity such as categories of personal data and legal basis of processing to carry out a risk assessment.
This is a complex activity due to the number of stakeholders involved for each transfer and the associated time and resource required should not be underrated. Completing a high-quality data mapping exercise is crucial for good standards of data protection, as without understanding how personal data is processed (and specifically where it is transferred and accessed from) organisations cannot ensure adequate standards of data protection.
Once firms understand their data transfers, they can identify the gaps in data protection law
For data transfers beyond the UK or EEA, firms will need to conduct a Transfer Risk Assessment (TRA). Having identified the recipient countries through the data mapping exercise, firms can complete a risk assessment against the data protection law of the recipient jurisdiction. This will involve assessing the gaps in data protection law between the EU/UK GDPR and the recipient country (which will often require external legal support) to identify to what extent the personal data would enjoy equivalent protection under the recipient country jurisdiction.
Where the transfer risk assessment indicates a risk to the personal data, firms must identify appropriate safeguards to further protect the data. This will often involve multiple central functions, including the Data Protection Officer, Compliance, Legal and Third Party Management and responsibilities and inputs should be set out early on in the process. The identification of appropriate safeguards needs to consider two aspects. Firstly, it will need to consider what gaps exist between the EU/UK GDPR and the recipient country. Secondly, the potential safeguards would need to be informed by the likelihood of the personal data, e.g. an employee’s tax records, being accessed by local authorities. For example, it is likely that employee’s or customers’ tax records would be of greater interest and susceptible to access by local authorities than typical HR data. As such, these personal data categories may need additional protection to ensure the integrity of the data.
International data transfer processes need to be updated and contracts must be remediated
In addition to embedding risk assessments into the rules of international data transfers the court ruling also invalidated existing standard contractual clauses. As such, the European Data Protection Board (EDPB) has issued updated SCCs with the ICO expected to set out a new approach for SCCs during Q1 2022. Whilst no deadlines have been officially announced by the ICO, it is expected that data transfers from the UK will need to transition to these new SCCs by December 2022. Data transfers from the EU can transition to the EU SCCs already provided by the EDPB and will need to have moved all contracts to the new SCCs by December 2022. Again, through using the data mapping exercise, firms will be able to identify the associated contracts which need to be transitioned to the new SCCs and initiate the contract remediation process in good time.
Beyond contractual documentation, firms will also need to design the future state process for international data transfers beyond the EEA and update all associated documentation. This will likely impact Data Protection Policies and Standards, Data Privacy Notices, and Data Privacy Impact Assessments and require senior stakeholder engagement and sign-off.
The Time to Act is Now
Firms should be planning for, and starting to implement, the above steps to evolve their privacy practices in line with the changing regulatory environment and growing customer expectations. Undertaking a comprehensive data mapping exercise is key to good quality data protection practices and will form the keystone to data transfer remediation. Considerable effort will need to be expended on the complex task of mapping data flows, assessing location-specific risks, and designing and implementing appropriate controls. To be confident that new arrangements meet the required standards, the time to start is now.
BCS has helped a wide variety of firms with data protection initiatives including International Data Transfers, Records of Processing Activity reviews and GDPR compliance programmes. Please contact Michael Erras or Sophie Rothbarth for further information and support.