Global data flows: The Schrems II ruling

This week Trace’s Founder spoke to Wealth briefing about the Schrems II ruling.

Extract from the article, which gives the background for this seismic case:

Last week’s shock European Court of Justice ruling invalidated the Privacy Shield mechanism which thousands of companies used to transfer personal data to the US in compliance with the (GDPR). The implications for the wealth sector’s data ecosystem could be huge….Under 2018’s GDPR – the much-imitated international “gold-standard” – transfers to third-countries from the European Economic Area (EEA) are only permitted under strict safeguarding mechanisms, unless the recipient country is one of (the now) 12 deemed to adequate protection by the EU Commission. Considered less onerous, rigid and costly than other transfer mechanisms, the Privacy Shield has been a popular choice, with more than 1,000 organisations signing up last year alone, according to the Future of Privacy Forum. 

The ruling, known as Schrems II, is the latest development in the EU’s long-running privacy war with the US and centres on bodies like the National Security Agency having access to data and a perceived lack of judicial redress for data subjects whose rights have been infringed.” (Wendy Spires)

Trace’s Founder Sorcha Lorimer spoke to Wealth briefing, commenting that:

Modern enterprises typically rely on cloud providers to process personal data - whether that's your CRM system, HR tool or online accounting services. And the personal data you store, as a controller, and your team upload in these systems can be stored across multiple geographical locations by cloud service providers.

“It's therefore likely that personal data your company is accountable for is stored outside the EEA by your providers. That's why the Schrems II ruling is so seismic: the compliance implications for European organisations are huge.

So what can your organisation do now?

  • Know your data: review your Records of Processing Activity (which is evergreen with platforms like Trace), understand gaps and risks now

  • Impact assess your data transfers; Trace's global data transfers visualiser helps you get a handle on where your data processors rely on privacy shield and the compliance of your transfers

  • Review your supply chain, focus on cloud service providers who process personal data: review their technical and organisational measures to protect data with Trace’s smart Processor Assessor for third party diligence and risk management.

Trace’s platform gives you a visual report of your international data transfers against global regulations so you can audit transfers at a glance

Trace’s platform gives you a visual report of your international data transfers against global regulations so you can audit transfers at a glance

Book your Trace demo now or get in touch to request a copy of our practical guide to keeping ensuring your data flows are compliant.

Sorcha Lorimer