Last week the European Commission announced that the Standard Contractual Clauses (the “SCCs”) are being updated. These changes primarily apply to entities exporting data out of the European Economic Area. Starting in 2021, whether you’re a controller or a processor (or both!), you’ll need to make certain your SCCs and your data export policies are compliant with the new laws.
The good news is that data exporters will have all of 2021 to get aligned with these new obligations. To make sure data exporters don’t have to start from scratch, the European Commission has provided recommendations to ensure compliance.
Step 1 – Transfer Mapping
Curious about where to start? Step 1 is to create a road map of where the personal data exported by your company goes. Data exporters should review their existing data relationships. Whose data are you exporting? What personal data does that export include? Which countries are receiving the exported data? What are your reasons for exporting that data?
You also need to think about downstream data use. For example, if you’re a processor, are you transferring personal data to a sub-processor who’s located in a third country? Are THEY transferring that data to another party in a different country? Remember that a “transfer” can be something as routing as cloud storage or support services outside the EEA.
This can be a strenuous task for companies that export a lot of personal data out of the EEA. However, the transfer mapping is an absolutely essential first step in knowing what actions – if any – you’ll need to take with your existing data agreements and internal practices.
Next Steps – Transfer Tools and Assessments
There’s more to do after you’ve completed your transfer mapping project. If you’ve mapped any personal data being exported out of the EEA, you’ll need to move on to steps 2 and 3: verifying your transfer tools and assessing third-country laws. Make sure to check back in for our next posts on these steps, and contact me if you have any questions!
By: Ashley Long