The fall of Privacy Shield

In 2020, the Court of Justice of the European Union (CJEU) ruled that the Privacy Shield mechanism was no longer valid as a basis to transfer data to the US.

This decision was followed by new, strict guidance from the European Data Protection Board setting out six steps that organisations must follow when transferring data outside the EU.

Our consultants can help you work through the European Data Protection Board's six steps and make sure you are complying with the law.

Discover more about our EU-US Data Transfer Assessment and Action Plan service below 
EU-US Data Transfer Assessment and Action Plan service

How does this service work?

Our consultants will assess your progress against the six steps set out by the European Data Protection Board and provide you with an action plan to help you comply.

1.

Know your transfers

  • How thoroughly have you mapped your data flows?
  • Do you know all the countries that can access your data?
  • How confident are you that you have minimised the data you transfer?


2.

Verify the transfer tool

  • Have you identified a lawful basis for each data transfer?
  • Is this basis appropriate?
  • Do you have documentary evidence to show that all the requirements for each basis are met?
  • Where the basis is Standard Contractual Clauses, how much progress have you made to establish the impact of the new Standard Contractual clauses that have recently been released for consultation?

3.

‘Mini adequacy’

  • Have you made a decision about whether the countries from which your personal data can be accessed meet the European Essential Guarantees?
  • Is the basis for this decision appropriate?

4.

Supplementary measures

  • Where the transfer involves a country that you have not assessed as meeting the European Essential Guarantees, have you identified effective controls to safeguard the data in transit and in the receiving country?
  • Has the design and effectiveness of these controls been tested?
  • Have you implemented and documented the controls?


5.

Formal procedural steps

  • Can you demonstrate that the supplementary measures you have identified are unambiguous?
  • If the supplementary measures have the effect of varying the Standard Contractual Clauses or Binding Corporate Rules, have you sought and received authorisation from the supervisory authority?
  • What evidence do you collect to demonstrate that the Standard Contractual Clauses or Binding Corporate Rules can be complied with in practice?


6.

Re-evaluate the transfer

  • Do you have a process in place to monitor developments in the countries that receive your data?
  • Do you have a process in place to re-evaluate the effectiveness of your controls?


7.

Control failure

  • Do you have business continuity plans in place in the event that your data recipients are unable to comply with the Standard Contractual Clauses or Binding Corporate Rules, or the country’s Adequacy decision is withdrawn?
  • Have these plans been tested?

What to expect

Your consultant will work with you to schedule interviews with key individuals such as the Head of IT, Privacy Manager, Project Manager and Process Owners.

In the interviews, your consultant will ask questions to help them establish whether the organisation is aware of the tasks required and if so, whether it is on track to complete them. The interviewees should not need to prepare for the interview, but if they have an EU-US data transfers project plan, it would be useful for them to have it available.

After the interviews, the consultant will produce a report showing clearly what actions are not started, started but at risk, and on track or completed. This will help you identify and fill any gaps in your action plan.

If your objective for this report is to help you start your project, we can also include a summary of the decision and its implications, an explanation of the options available to you and a template action plan.

Consultancy interview

What comes next?

Your consultant can help you to implement the recommendations. Your support plan can be tailored to your requirements.

Example Service 1 - A little help

Service Example 1

We can provide you with telephone and email support to answer any questions you may have as you work through your plan.

We typically provide this as pre-paid days, which can been drawn down in 15 minute increments on the basis of the time taken to answer each query. This is suitable for simple questions with simple answers. If your question is more complex, we will let you know and provide you with a suggested approach for us to help you resolve it.

contact us

Example Service 2 - A lot of help

Service Example 2

In one week, we could:

  • Review your policies, procedures and risk registers and highlight areas that will need review
  • Review your Article 30 Records of Processing and highlight priority processes for review
  • Review your contract library and highlight the contracts that will need to be renegotiated
  • Review your business continuity plans and highlight any priority gaps and issues
  • Work with your project team to ensure they understand the actions allocated to them and the requirements for completing each task.
contact us
Bespoke Data Transfer Assessments

Make it your own

We can tailor your assessment to your specific needs and requirements. Options include:

  • Carrying out a programme of comparative assessments for specific divisions or locations
  • Assessing the degree to which your specific policy decisions have been implemented
  • Carrying out a more detailed assessment or audit of your preparations in respect of specific international data transfers
  • Assessing the preparedness of your third party data recipients
  • Anything else to meet your needs – just ask!

contact us