Each week OneTrust hosts expert privacy professionals to discuss the latest updates, trends, and developments in the privacy world via LinkedIn Live. In this session, Alexis Kateifides, Privacy Counsel at OneTrust, was joined by Natalia Stenbrink, Group Compliance Officer at Sandvik and OneTrust PrivacyConnect Chapter Chair for Stockholm, to discuss the Schrems II decision, its impact on businesses, and the initial steps Natalia took in the immediate aftermath of the decision.
Fallout from Schrems II
As a OneTrust PrivacyConnect Chapter Chair, Natalia recently hosted an event in her Stockholm Chapter which tackled much of the fallout and organizational impact of the decision. Natalia explained to Alexis, one of the themes that were uncovered was that a lack of guidance has left many privacy professionals with a lot of questions about how best to move forward.
“We have unanswered questions,” she said. “We have plans to stumble ahead in a risk-based way that we believe is reasonable and will serve our companies well as we wait for more guidance. But I hope the people listening don’t feel alone in thinking, ‘What the heck do we do?’”
Steps to take in the aftermath of the Schrems II decision
When asked about the initial steps that were taken in the weeks following the CJEU’s decision, Natalia explained how she released a company-wide advisory and FAQ. The idea behind the advisory was to inform the all areas of company of the decision and what it meant for them.
“I outlined what the case was about, what impact it would have on Sandvik, and some proposed next steps,” Natalia explained.
Also, the central privacy team, which is made up of the head privacy officers from each of Sandvik’s business areas, now meet weekly for what they call a “Project Schrems II Alignment”. This weekly meeting helps manage the practical steps and filter information down to the immediate stakeholders that need to ensure they are carrying out tasks – such as DPAs – correctly following the CJEU’s decision.
“What’s great is to align together […] you get with your stakeholders, whoever is going to help you, whoever is going to communicate this down to purchasing, procurement, legal, whoever are negotiating the DPAs,” explained Natalia.
Practical Schrems II next steps for organizations
The first piece of guidance that Natalia’s project team passed on to the wider network of stakeholders was to begin using SCCs when dealing with any new DPAs and to cease using the Privacy Shield, however, as Natalia explained, adopting SCCs is not a straightforward task.
“You have to use the SCCs, but that’s not all,” she said. “SCCs come with some additional obligations before you can say you are confidently, compliantly using these SCCs. […] So, one of the practical questions is, ‘Where do we start?’”
Next, Natalia suggests having a plan for both new and existing DPAs, both of which would require a verification assessment. Furthermore, identifying the contracts that involve third-country data transfers is something that all organizations can begin working on before official guidance is issued, and prioritizing the existing DPAs that concern high-risks vendors, or that include high-risk data, is a good place to start when looking to comply with the fallout from Schrems II.
“Everyone in legal in our organization knows what SCCs are, we’ve been using those anyway but what is this extra requirement? It goes by many names, I’m calling it a verification assessment […] that verification assessment needs to, in the end, give you the feeling that the third-country will give you the essentially equivalent data protection as in the [European] Union,” explained Natalia
Another practical tip Natalia suggests is to tailor vendor questionnaires to suit the needs of your business and to be easier to digest. Then, based on your risk assessment of the third-country data transfer, to have verification assessments that vary in length and complexity based on the type of data that is being transferred.
“Many times, what we are transferring over to SaaS providers from the US are login or business contact information that anyone could find by Googling. [It’s] Low-risk data. My idea is that I’m going to have a much shorter verification assessment for those […] We won’t know if that is totally right until we get more guidance, but we are expected to act,” explained Natalia.
The future of data transfers Post Schrems II
Discovering the most efficient methods of safely transferring data will take time. As Natalia mentioned, until there is political intervention and an agreement can be reached – whether that looks like the now-defunct Privacy Shield or not– companies must adapt their processes and continue their business operations in a considered and compliant manner.
“In my opinion, we cannot and should not stop global trade, and we do not want to build a Europe fortress on the internet […] Yes, globalization created a lot of problems but we know those and if we can work on those it also creates a lot of benefit to our European societies being able to buy the best innovation,” Natalia said.
In one final note, Natalia also urged privacy professionals to read the Schrems II decision themselves as it helped her to understand many of the nuances within the decision that may not be discussed as frequently on the many of the thought leadership webinars and articles that are currently available.
Follow OneTrust on LinkedIn to receive notifications for upcoming LinkedIn Live events or for more information and resources to help you understand the Schrems II decision further visit the OneTrust Schrems II Solutions page or the OneTrust DataGuidance Schrems II Portal