On 16 July 2020 the CJEU decided in the Schrems II Judgment that the “Privacy Shield” legal framework for data sharing between the EU and the US is invalid. Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) are still valid but an assessment as to whether they provide enough protection within the local legal framework is required.

The most critical data flows for organisations usually have an international component. As a result of this decision, organisations have to address the following challenges:

  • Not enough control over their international data flows;
  • Lack of understanding about their exposure;
  • Lack of resources to address remediation activities, and
  • Inconsistent guidance from authorities.

Organisations should remember that prior to the end of the transition period, they should specifically be addressing their EU to UK data transfers.

Organisations need an approach to understand their risk exposure, as well as legal framework and controls to ensure protection of personal data. In line with the latest European Data Protection Board recommendations published on 11 November 2020, KPMG has designed the International Data Transfers Methodology consisting of 5 steps to help organisations to identify, assess and address the risks of their cross-border data transfers.

  1. Identification: data discovery exercise to identify external and internal data flows, using the KPMG Data Transfer Screening Form to determine if further assessment is needed in each case and get overall metrics.
  2. Risk assessment: detailed evaluation using the methodology and questionnaire developed by KPMG to understand the risks, considering, among others, the recipient country and its legislation on various aspects, including the security and surveillance laws.
  3. Prioritisation: classifying recipients and contracts to determine which need immediate attention for review.
  4. Remediation: performing remediation activities, using the best tailored arrangements in each case.
  5. Business As Usual for ongoing international data transfers: establishing business as usual processes and controls for secure ongoing international data transfers. KPMG has designed the Data Transfer Compliance Checklist to help organisations with this. 


The following documents have been published in relation to implementation of Schrems II: