On 16 July 2020 the CJEU decided in the Schrems II Judgment that the “Privacy Shield” legal framework for data sharing between the EU and the US is invalid. Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) are still valid but an assessment as to whether they provide enough protection within the local legal framework is required.
The most critical data flows for organisations usually have an international component. As a result of this decision, organisations have to address the following challenges:
Organisations should remember that prior to the end of the transition period, they should specifically be addressing their EU to UK data transfers.
Organisations need an approach to understand their risk exposure, as well as legal framework and controls to ensure protection of personal data. In line with the latest European Data Protection Board recommendations published on 11 November 2020, KPMG has designed the International Data Transfers Methodology consisting of 5 steps to help organisations to identify, assess and address the risks of their cross-border data transfers.
The following documents have been published in relation to implementation of Schrems II: