GDPR Update – The Standard Contractual Clauses Are Getting a MakeoverPrivacy, privacy attorney, privacy lawyer, privacy law, privacy law attorney, privacy lawyer, privacy seattle, privacy seattle attorney, privacy seattle lawyer, privacy law seattle, privacy law seattle attorney, privacy law seattle lawyer, data, data attorney, data lawyer, data law, data lawyer, data attorney, gdpr, gdpr attorney, gdpr lawyer, litigation, litigator, attorney, lawyer, seattle, Washington, Washington state, WA

Last week the European Commission announced that the Standard Contractual Clauses (the “SCCs”) are being updated.  These changes primarily apply to entities exporting data out of the European Economic Area.  Starting in 2021, whether you’re a controller or a processor (or both!), you’ll need to make certain your SCCs and your data export policies are compliant with the new laws. 

The good news is that data exporters will have all of 2021 to get aligned with these new obligations.  To make sure data exporters don’t have to start from scratch, the European Commission has provided recommendations to ensure compliance.  

Step 1 – Transfer Mapping

Curious about where to start?  Step 1 is to create a road map of where the personal data exported by your company goes.  Data exporters should review their existing data relationships.  Whose data are you exporting?  What personal data does that export include?  Which countries are receiving the exported data?  What are your reasons for exporting that data? 

You also need to think about downstream data use.  For example, if you’re a processor, are you transferring personal data to a sub-processor who’s located in a third country?  Are THEY transferring that data to another party in a different country?  Remember that a “transfer” can be something as routing as cloud storage or support services outside the EEA.   

This can be a strenuous task for companies that export a lot of personal data out of the EEA.  However, the transfer mapping is an absolutely essential first step in knowing what actions – if any – you’ll need to take with your existing data agreements and internal practices. 

Next Steps – Transfer Tools and Assessments 

There’s more to do after you’ve completed your transfer mapping project.  If you’ve mapped any personal data being exported out of the EEA, you’ll need to move on to steps 2 and 3: verifying your transfer tools and assessing third-country laws.  Make sure to check back in for our next posts on these steps, and contact us if you have any questions!

By: Carney Badley Spellman Privacy Team

For more articles about Standard Contractual Clauses, please visit our website, here.