It’s Time for Privacy Pros to Make a Strategic Shift
The importance of effective data privacy can no longer be ignored.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: April 11, 2023
Published: September 30, 2022
In 2021, the European Commission released the new Standard Contractual Clauses (SCC). They govern data transfers from the European Economic Area (EEA) to third countries, such as the United States. These are countries that, in the view of the European Commission, offer insufficient measures of data privacy and protection.
Changing contracts is a daunting task. This is why the Commission allowed companies to have a transition period. But that time is coming to an end. All companies transferring personal data from the EU to a third country must update their SCCs by December 27th, 2022.
For larger companies, the task isn’t as hard. Sure, they have more contracts and usually work with larger quantities of data. But they also have dedicated departments and processes in place to deal with such changes.
For small- and medium-sized businesses (SMBs), complying with the new SCCs might prove challenging. So let’s take a closer look at how the standard contractual clauses are changing and how you can prepare.
The discussions began in 2020 when the European Court of Justice (CJEU) ruled in the Schrems II case. They decided Facebook Ireland’s data transfer practices were not valid. As a result, the Privacy Shield also became invalid.
The General Data Protection Regulation (GDPR) requires transparency when transferring data outside of the EU. It also requires informed consent from the user. And in light of Schrems II, it became clear that the old SCCs were not enough anymore.
On June 4th, 2021, the Commission released the new Standard Contractual Clauses. They gave companies over a year to comply. New contracts needed to reflect the new SCCs starting in September 2021. But for older contracts, companies had about 18 months to make the transition.
There are several changes. For instance, the new SCCs include four modules:
There is now more guidance for transferring data from the EU to a country with different privacy regulations.
You’ll also need to conduct a data protection impact assessment. If the importer can’t demonstrate they’ll be able to meet the necessary level of protection, the transfer shouldn’t take place.
The new Standard Contractual Clauses should also include annexes detailing the data privacy practices of both importer and exporter. This makes it easier to assess compliance and requires businesses to discuss their privacy practices explicitly.
Changing old contracts is never easy. And some say SMBs have it even harder.
Perhaps you don’t have a data privacy officer (DPO) yet, even though you want to transfer data outside of the EU. Or, if you have a DPO, they may be wearing more hats than they should, taking care of far more tasks than they should.
You might also have a distributed or hybrid model of governance rather than a centralized one. While that’s not technically wrong, it increases your risk of mistakes and non-compliance. But that doesn’t mean you’re doomed to fail. Here are a few steps you can take.
The first step to compliance is reviewing existing contracts — especially those drafted before the introduction of the new SCCs. But, for good measure, don’t overlook the contracts closed in the past year.
The audit should include both internal and external data transfers and relationships. Look for the ones that pose the greatest risk and work your way from there.
One step to Schrems II-proof your business is to assess the risk and the impact of transferring data. You must consider:
You’ll need to document the assessment. Upon request, you’ll need to present the documentation to relevant authorities.
You should conduct the assessment both for new and old contracts. This is not a one-time process. You’ll need to update your assessment in case the local laws of the importer change.
Another important step is data mapping. You should start by looking at all your current data transfer processes. Which data is going where? The emphasis will be on transfers from the EU or European Economic Area to a third country.
Don’t look only at intentional transfers. There might be some incidental transfers happening as well, such as during a backup or through remote access.
As the exporter, you are responsible for the security of the data transfer. This is a step you’ll need to implement on a case-by-case basis.
The transfer impact assessment will give you an idea of the risks each transfer poses. And with that, it will also tell you if additional security measures are needed or not.
You will need to develop contracting practices for any agreement that includes transferring personal information from the EU or EEA to a third country.
You must include a regular review of their security and privacy measures. Your goal should be to ensure they remain compliant with the requirements of the SCCs.
Most companies will include this step in the transfer impact assessment. But you can also view it as a separate step.
The goal is to verify if data privacy and security are ensured at all times. And if any adequacy decisions exist, make sure they remain in place.
Switching to the new Standard Contractual Clauses may seem like a daunting task. For small businesses without a dedicated legal department, this task may seem even more challenging. But it doesn’t have to be.
A few measures, like reviewing existing contracts, assessing the impact of transfers, or conducting data mapping are the first steps to compliance.
Osano can help you on your compliance journey in more ways than one. For example, if you need a GDPR representative, we’ve got you covered with one of our EU-local attorneys. Learn more about how we can help you by scheduling a demo today.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.