Organisations which are exporting personal data to third countries in reliance on SCCs, and that are subject to the GDPR, will need an action plan to transition across to the new EU SCCs, to carry out the requisite transfer impact assessments, and to ensure ongoing compliance with the requirements of the EU SCCs.
Data exporters should:
- To the extent that they haven't already done this in light of Schrems II, put together a template, taking into consideration the requirements of Clause 14 of the EU SCCs and the EDPB (draft) guidance and establish a process for conducting transfer impact assessments, and then carry these out in conjunction with importing parties and see through any follow up action arising. Some importing parties (for example, IT service provider processors which deal with thousands of exporting customers) may already have processes in place to support this, and it is worth entering into a dialogue with them first to establish this. To this end, data transfers to third countries should be audited, categorised and prioritised depending on the nature of the arrangement and the counterparty, how important the data transfer is to a business, the destination countries that a business exports data to, and the type and amount of data which is being transferred. Different approaches to handling transfer impact assessments will also be required depending on the department within a business which a data transfer agreement will relate to: for example, those data transfer agreements in respect of IT support matters, most of which will be with an importing processor, will be handled in a very different way to say, a marketing or BD partnership between two controllers.
- To the extent that they haven't already, establish a process (and a way of documenting it) for conducting meaningful due diligence on importers to ascertain whether they can comply with their obligations under the EU SCCs – for example, via a due diligence questionnaire backed up with supporting documentation. Again, it is useful to enter into a dialogue, particularly with importers which are used to importing data, which may already have information documentation to hand to provide to the exporter.
- Assess which of their current data transfers will need to be transitioned across to the EU SCCs, bearing in mind the grace period which is in place until 27 December 2022; and put in place a process for carrying out such transition and updating existing contracts with the new SCCs.
- Identify those data transfers which are in the pipeline which will need to be completed on the basis of the EU SCCs (again bearing in mind that the existing SCCs can no longer be used on or after 27 September 2021, though if they are put in place before this date, then they too will take the benefit of the grace period to transition to the new EU SCCs).
- Ensure that data can be transmitted to the importer in a secure way.
- Update privacy policies to ensure compliance with transparency obligations under EU SCCs (or agree with the relevant data importer where the importer will do this).
Data importers face an increased compliance burden as a result of the GDPR-style requirements in the EU SCCs – as follows:
- Where a data importer is importing data as a controller, the requirements in respect of data subjects' rights and the ability to respond to requests and enquiries from data subjects (for example, responding to requests for access to data processed) may well require some adjustments to business practices and new processes to be put in place, including a process for complying with the obligations on data breach notification, and establishing a point of contact for complaints from data subjects to be received.
- Data importers should establish with their exporter counterparts, which party will meet the transparency obligations in the EU SCCs, and if it’s the importer, work out how best to do this.
- Data importers will need to have processes in place to ensure that the data is accurate and up to date, and only kept for as long as necessary.
- Importers will have to get used to accountability, and documenting everything, in particular, any steps taken in response to requests from public authorities, so as to be able to demonstrate compliance to exporters, data subjects and supervisory authorities alike, will be important.
- Processor importers in respect of which the risk profile for the data they handle from exporters is similar each time, may wish to consider putting together standard documentation which could help with completion and documentation of transfer impact assessments, and with completion of the Appendix to the EU SCCs.
Whilst the EU SCCs are a welcome update on the existing SCCs, in particular in the way they reflect the various transfer scenarios, it is the transfer impact assessment (together with the need to document it) required by Schrems II, the EDPB, and now enshrined in Clause 14 of the EU SCCs, which will continue to create the largest burden for many organisations. The ICO has confirmed that Schrems II, including that need for a transfer impact assessment, is now part of English law, but that it will provide as much help and guidance as possible for businesses to navigate it when it comes to data transfers under UK GDPR. We await with interest how it will address this, and whether it is able to help in any way to shift or reduce the burden away from businesses in having to assess the laws and practices of destination countries.