Comprehensive software reviews to make better IT decisions
Proteus-Cyber Provides a Tactical Solution for Schrems II Stress With the Transfer Impact Assessment (TIA) Tool
The recent Schrems II invalidation of the EU-US Privacy Shield has added a layer of difficulty for organizations that operate across borders, as they now require additional contractual clauses and measures in place to ensure data can transfer freely.Organizations that may have previously been reliant on the Shield as a factor in ensuring any EU data could be exchanged and processed by countries, including the United States, without a GDPR adequacy ranking, face significant obstacles in ensuring that the appropriate safeguards, by means of Standard Contractual Clauses and data transfer agreements are in place to avoid a violation and hefty fine from the regulator.
This is no small feat for MNCs operating in a multitude of countries across the globe. Each data importer now requires a separate due diligence process to be conducted and a separate contract to ensure that information it receives and processes is maintained with the same standards as those outlined within the country of origin. Those familiar with the three sets of Standard Contractual Clauses (SCCs) and the new guidance around SCCs trickling down slowly from the EDPB will recognize the level of effort that is required to manage these contracts and ensure continued compliance.
Privacy program management vendor Proteus-Cyber has recently introduced a streamlined solution to its NextGen enterprise software that helps organizations manage their complex environment and multiple operating locations in the aptly titled Transfer Impact Assessment (TIA). The TIA consists of a pre-configured survey that enables the DPO or privacy manger to have a centralized overview of all SCCs that the organization has in place with respective data importers, which can consist of both subsidiary companies or separate vendors and third parties that process data on the controller’s behalf.
One key feature that privacy professionals can benefit from within the TIA is the ability to customize based on country-specific guidance around data transfers and requirements issued by national data privacy regulations. For nations even within the EU that have separate requirements for data processing and transfers, the TIA can be altered to reflect these specifications to ensure that all obligations are being met.
Additionally, Proteus-Cyber’s TIA feature integrates and builds off of the NextGen Data Privacy product to provide technical insight into the sensitivity of the information being transferred, to where and how it is being transferred, and the appropriate security controls in place around protection of the information on the end of the data importer. It is a holistic, full-spectrum solution to help manage the Schrems II-incited stress of MNCs and global entities.
Source: Proteus-Cyber Vendor Briefing, Proteus-Cyber
Our Take
The July 16th ruling by the CJEU served as yet another nudge for organizations that view data privacy as a simple checkbox to take a proactive and case-by-case approach to privacy processes and the overall integration of data privacy within the organization’s operational streams. And although we still await the final changes and updates from the EDPB to the three sets of SCCs, we expect a noticeable increase in the level of scrutiny applied throughout the revised terms in relation to expectations around a data importer’s data protection processes and controls.
Added scrutiny means added work for those within the DPO, PO, or legal function within multinationals. Ensuring that the internal data privacy standards meet requirements is enough of a challenge, and this is now piled under ensuring appropriate measures have been taken by all subsidiaries or third-party importers. The complexity of this process has been taken into account by Proteus-Cyber and simplified with the launch of the TIA feature. The TIA’s ability to draw on information obtained through Proteus NextGen and effectively ensure that any third parties to which data is transferred meet all requisite conditions is a game-changer in the privacy program management and legal and compliance sphere.
The tool provides an automated approach to a process that would be more than a headache to perform manually, but still relies on external validation and checkpoints throughout to ensure the data transfer agreement meets all requirements. Proteus-Cyber’s TIA feature is an optimal combination of efficiency and customization and has set the bar high for other privacy program management and compliance software solutions to follow suit.