Practical Steps
Against this noisy backdrop, organisations could be forgiven for thinking that solutions remain elusive. In fact, the CJEU has been relatively clear regarding the analysis that needs to be performed. In what are now being termed “transfer impact assessments” or “TIAs”, data exporters are looking at the following steps:
1. Analyse data flows which involve transfers of personal data outside the EEA and determine which transfer mechanism is being used. Existing compliance controls can be used to identify transfers, such as Article 30 records of processing activities (RoPA), data protection impact assessments (DPIAs) and other data mapping controls.
2. For US transfers relying upon Privacy Shield, an alternative transfer mechanism must be found as a priority.
3. To the extent a business is currently using, or considering using (as an alternative to Privacy Shield), SCCs for transfers to any third country, it must assess the level of appropriate safeguards provided by that transfer to determine whether SCCs are a suitable mechanism. A TIA will typically involve an assessment of the following criteria: a. the legal regime in the destination country including
(i) the strength of regulation of data privacy;
(ii) regulation of public authority access to private data; and
(iii) rights of redress for affected data subjects; b. additional safeguards or supplementary measures that may mitigate or exacerbate privacy risks, such as
(i) provisions in the contract between exporter and importer that affect disclosure; and
(ii) technical and organisational measures implemented by the exporter or importer which impact the privacy protection; and c. the real-life risks of the transfer, within the context of the sector / industry and other relevant factors including the identity of the data subjects and the categories of data being transferred.