EU–US GDPR Data Transfer Assessment and Action Plan


Following the Schrems II ruling by the European Court of Justice in July 2020, any organisation transferring data from the EU to the US needs to take steps to ensure they remain compliant with the GDPR. 

  • Does your organisation or its suppliers use services built by US-owned companies such as Microsoft, Salesforce or Facebook?
  • Does your organisation or its suppliers transfer data between the EU and the US?
  • Do you need help to make sure your data transfers are lawful?

Our EU-US Data Transfer Assessment and Action Plan will help you remain compliant with the GDPR when transferring personal data outside of the European Union, and enable you to establish your level of compliance related to the location and lawfulness of your data processing. We will work with you to produce a practical, step-by-step action plan that will set out all the options your organsiation has for its EU-US data transfers.

What our EU-US Data Transfer Assessment and Action Plan includes:

  • Our consultants will conduct a detailed review of your records of processing, process maps and data flow maps to identify the processes that will need to be addressed.
  • A set of questionnaires will also be sent to your suppliers in order to review their data processing arrangements.
  • Your suppliers' responses will be reviewed and assessed.
  • We will undertake a gap analysis to identify any missing information.
  • Our expert team will review your suppliers’ privacy notices and other supporting information.

What you can expect from us:

  • A clear, actionable report on the key findings and recommendations for EU–US data transfers. This will be presented during a one-hour meeting (this can be face-to-face or virtual).
  • Clear information about remaining GDPR compliant in relation to EU–US data transfers.
  • A practical action plan that outlines all the steps your organisation will need to take. 
  • We also offer optional support to help your organisation implement its action plan.

Why use us? 

We are an award-winning data privacy consultancy and one of the longest-established specialist data protection consultancies in the UK.

Our clients range from multinational corporations to small family-run businesses.

We can draw on expert help from across GRC International Group, including hands-on implementation delivery, training, information security services, data protection legal and compliance assistance, and data protection software.


Due to the need to receive questionnaire responses from suppliers, please allow three weeks for this service to be completed.