CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
September 30, 2022
In 2021, the European Commission released the new Standard Contractual Clauses (SCC). They govern data transfers from the European Economic Area (EEA) to third countries, such as the United States. These are countries that, in the view of the European Commission, offer insufficient measures of data privacy and protection.
Changing contracts is a daunting task. This is why the Commission allowed companies to have a transition period. But that time is coming to an end. All companies transferring personal data from the EU to a third country must update their SCCs by December 27th, 2022.
For larger companies, the task isn’t as hard. Sure, they have more contracts and usually work with larger quantities of data. But they also have dedicated departments and processes in place to deal with such changes.
For small- and medium-sized businesses (SMBs), complying with the new SCCs might prove challenging. So let’s take a closer look at how the standard contractual clauses are changing and how you can prepare.
The discussions began in 2020 when the European Court of Justice (CJEU) ruled in the Schrems II case. They decided Facebook Ireland’s data transfer practices were not valid. As a result, the Privacy Shield also became invalid.
The General Data Protection Regulation (GDPR) requires transparency when transferring data outside of the EU. It also requires informed consent from the user. And in light of Schrems II, it became clear that the old SCCs were not enough anymore.
On June 4th, 2021, the Commission released the new Standard Contractual Clauses. They gave companies over a year to comply. New contracts needed to reflect the new SCCs starting in September 2021. But for older contracts, companies had about 18 months to make the transition.
There are several changes. For instance, the new SCCs include four modules:
There is now more guidance for transferring data from the EU to a country with different privacy regulations.
You’ll also need to conduct a data protection impact assessment. If the importer can’t demonstrate they’ll be able to meet the necessary level of protection, the transfer shouldn’t take place.
The new Standard Contractual Clauses should also include annexes detailing the data privacy practices of both importer and exporter. This makes it easier to assess compliance and requires businesses to discuss their privacy practices explicitly.
Changing old contracts is never easy. And some say SMBs have it even harder.
Perhaps you don’t have a data privacy officer (DPO) yet, even though you want to transfer data outside of the EU. Or, if you have a DPO, they may be wearing more hats than they should, taking care of far more tasks than they should.
You might also have a distributed or hybrid model of governance rather than a centralized one. While that’s not technically wrong, it increases your risk of mistakes and non-compliance. But that doesn’t mean you’re doomed to fail. Here are a few steps you can take.
The first step to compliance is reviewing existing contracts — especially those drafted before the introduction of the new SCCs. But, for good measure, don’t overlook the contracts closed in the past year.
The audit should include both internal and external data transfers and relationships. Look for the ones that pose the greatest risk and work your way from there.
One step to Schrems II-proof your business is to assess the risk and the impact of transferring data. You must consider:
You’ll need to document the assessment. Upon request, you’ll need to present the documentation to relevant authorities.
You should conduct the assessment both for new and old contracts. This is not a one-time process. You’ll need to update your assessment in case the local laws of the importer change.
Another important step is data mapping. You should start by looking at all your current data transfer processes. Which data is going where? The emphasis will be on transfers from the EU or European Economic Area to a third country.
Don’t look only at intentional transfers. There might be some incidental transfers happening as well, such as during a backup or through remote access.
As the exporter, you are responsible for the security of the data transfer. This is a step you’ll need to implement on a case-by-case basis.
The transfer impact assessment will give you an idea of the risks each transfer poses. And with that, it will also tell you if additional security measures are needed or not.
You will need to develop contracting practices for any agreement that includes transferring personal information from the EU or EEA to a third country.
You must include a regular review of their security and privacy measures. Your goal should be to ensure they remain compliant with the requirements of the SCCs.
Most companies will include this step in the transfer impact assessment. But you can also view it as a separate step.
The goal is to verify if data privacy and security are ensured at all times. And if any adequacy decisions exist, make sure they remain in place.
Switching to the new Standard Contractual Clauses may seem like a daunting task. For small businesses without a dedicated legal department, this task may seem even more challenging. But it doesn’t have to be.
A few measures, like reviewing existing contracts, assessing the impact of transfers, or conducting data mapping are the first steps to compliance.
Osano can help you on your compliance journey in more ways than one. For example, if you need a GDPR representative, we’ve got you covered with one of our EU-local attorneys. Learn more about how we can help you by scheduling a demo today.
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”