Our consultants will assess your progress against the six steps set out by the European Data Protection Board and provide you with an action plan to help you comply.
Know your transfers
- How thoroughly have you mapped your data flows?
- Do you know all the countries that can access your data?
- How confident are you that you have minimised the data you transfer?
Verify the transfer tool
- Have you identified a lawful basis for each data transfer?
- Is this basis appropriate?
- Do you have documentary evidence to show that all the requirements for each basis are met?
- Where the basis is Standard Contractual Clauses, how much progress have you made to establish the impact of the new Standard Contractual clauses that have recently been released for consultation?
- Have you made a decision about whether the countries from which your personal data can be accessed meet the European Essential Guarantees?
- Is the basis for this decision appropriate?
- Where the transfer involves a country that you have not assessed as meeting the European Essential Guarantees, have you identified effective controls to safeguard the data in transit and in the receiving country?
- Has the design and effectiveness of these controls been tested?
- Have you implemented and documented the controls?
Formal procedural steps
- Can you demonstrate that the supplementary measures you have identified are unambiguous?
- If the supplementary measures have the effect of varying the Standard Contractual Clauses or Binding Corporate Rules, have you sought and received authorisation from the supervisory authority?
- What evidence do you collect to demonstrate that the Standard Contractual Clauses or Binding Corporate Rules can be complied with in practice?
Re-evaluate the transfer
- Do you have a process in place to monitor developments in the countries that receive your data?
- Do you have a process in place to re-evaluate the effectiveness of your controls?
- Do you have business continuity plans in place in the event that your data recipients are unable to comply with the Standard Contractual Clauses or Binding Corporate Rules, or the country’s Adequacy decision is withdrawn?
- Have these plans been tested?