The Schrems II judgement invalidated Privacy Shield and highlighted a need to supplement Standard Contractual Clauses (SCCs) with additional measures, if transferring personal data to countries that do not offer “Essentially Equivalent” protection to the EU.
This Data Transfer Impact Assessment enables companies to confirm if a transfer is in scope of the judgement and clarifies required next steps.
Required changes have not always been clear and updates to existing supplier relationships are potentially disruptive and costly.
BH Consulting have been working with our customers to identify in-scope transfers and plan required work for a long period. This has allowed us to lay solid foundations for change. First updating those agreements that rely upon Privacy Shield, then assessing risks associated with agreements that rely upon Standard Contractual Clauses (SCCs). Our early action on risk assessment laid foundations for this data transfer impact assessment, integrating the latest advice from the EU.
The BH Consulting Transfer Impact Assessment (TIA) clarifies an organisation’s exposure to risks linked to transferring personal data of EU residents to countries without an existing EU data protection adequacy agreement.
A Transfer Impact Assessment (aka a Transfer Risk Assessment) is required to comply with the Schrems II ruling and supports planning for any required change.
Transfer Impact Assessments are mandated in both the European Data Protection Board (EDPB) guidance on Supplementary Measures and the updated draft of the Standard Contractual Clauses (SCCs)
Each individual assessment is relatively quick to do, clarifies required next steps, and enables our clients to demonstrate GDPR accountability to both internal stakeholders and customers. It also provides clarity about scope to illustrate effort required and prioritise work.
The output of the assessment provides clients with an understanding of the steps required and the means to plan changes to mitigate or minimise highlighted risks.
We work with organisations on developing an action plan to manage the implementation of the given recommendations. Our experienced consultants will also help clients establish and document the tailored Data Transfer Impact Assessment process for their organisation to use internally.
BH Consulting can help by:
- Identifying and assessing compliance of in-scope transfers of EU residents’ data with the Schrems II ruling and relevant requirements in the EU and UK GDPR
- Enable prioritisation and planning to remediate any non-compliance
- Enable clients to respond to customer enquiries about EU data transfer compliance after Schrems II ruling
- Advice on supplementary measures to introduce for particular types of transfers
This service can be carried out remotely.
- Understand your exposure to changes required by updated Data Privacy guidance, in line with Schrems II
- Prioritise next steps based upon legal requirements, EU guidance, and your local risk
- Demonstrate your due diligence and progress towards compliance with both the GDPR and other comparable laws and regulations
- Build a reusable risk-based overview of data transferred to existing and future suppliers
- Establish mature mechanisms to keep on top of due diligence and contract assurance for personal data transfers