OneTrust Expands Schrems II Solutions to Support the EDPB’s Finalised Guidelines on Supplementary Measures for International Data Transfers

OneTrust announced enhancements to our range of Schrems II Solutions to help organisations comply with the European Data Protection Board’s (EDPB) recommendations on measures that supplement transfer tools following the Schrems II decision. OneTrust’s Schrems II Solutions help both EU exporters and importers comply with the latest EDPB guidance.

In July 2020, the Court of Justice of the European Union (CJEU) ruled on the Schrems II case, invalidating the EU-US Privacy Shield. This decision required many organisations to evaluate alternative data transfer mechanisms to comply with personal data transfer requirements under the GDPR. In November, along with the release of a set of revised Standard Contractual Clauses (SCCs) by the European Commission, the EDPB released draft guidelines on “supplementary measures” to ensure compliance with the EU’s level of personal data protection when transferring personal data from the EU to a third country. Today, the EDPB finalised those guidelines after a public consultation period.

Marketing Technology News:  Avtex Wins 2021 Pandemic Tech Innovation Award

The EDPB guidelines provide a roadmap data exporters can follow to ensure that personal data transfers are lawful and that they satisfy the GDPR’s accountability principle under Article 5(2). They also outline a set of contractual, organisational, and technical measures that can be implemented with the support of data importers to bring the data protection standards in line with the EU’s level of protection when transferring data to a third country. The key updates to this guidance include the following:

  • Exporters should recognise the importance of examining third country public authorities’ practices in their legal assessments to help determine whether the legislation or practices hinder the effectiveness of the Article 46 transfer tool.
  • Exporters may want to consider the practical experience of the importer when carrying out their assessments.
  • The effectiveness of the data transfer tool may be affected by the legislation of the third country destination allowing its authorities to access the transferred data, even without the importer’s intervention.

Operationalise the EDPB Guidelines with OneTrust Schrems II Solutions

OneTrust is helping both data exporters and importers operationalise the EDPB’s finalised guidelines with an enhanced set of tools, guidance, and templates live in the platform today.

For data exporters, OneTrust’s Schrems II Solutions help carry out the EDPB’s six step roadmap, including pre-built templates to assess third countries, perform Transfer Impact Assessments (TIAs), and evaluate the effectiveness of supplementary measures. OneTrust helps exporters:

  • Map Transfers: Centrally document and visualise all cross-border transfers, related data importers, and the third countries involved.
  • Verify Transfer Tool: Document and verify the transfer mechanism for each transfer, enabling a risk-based approach to prioritise further analysis.
  • Assess Effectiveness: Leverage pre-built templates and research to carry out Transfer Impact Assessments (TIAs) in collaboration with the data importer to determine if the documented transfer tool is effective in the context of each transfer.
  • Adopt Measures: If the transfer tool is deemed ineffective, use pre-built templates based on the EDPB guidelines to determine the technical, contractual, or organisational supplementary measures that can be adopted.
  • Update Contracts: Action any necessary steps from the analysis, such as updating contracts and implementing technical controls.
  • Monitor and Revaluate: Monitor third-country developments and evaluate new transfers to ensure that supplementary measures remain effective and data importers honour their commitments

Marketing Technology News:  MarTech Interview with Gary Burtka, VP U.S. Operations at RTB House

For data importers, OneTrust helps operationalise privacy and security programs through the OneTrust privacy, security, and data governance platform, ensuring that the proper operational processes, technical controls, and compliance mechanisms have been implemented across the organisation. In addition to these foundational elements, OneTrust provides solutions to help data importers with specific operational challenges of Schrems II and the EDPB guidelines, including:

  • Third Country Assessments: Prepare for requests from data exporters by proactively assessing third countries with pre-built assessment templates and third-country comparison from OneTrust DataGuidance
  • Transparency Reporting: Be transparent about government surveillance requests by creating, managing, and centrally hosting a Transparency Report as part of your privacy policy
  • Assessment Response Automation: Streamline response to the increased volume of Transfer Impact Assessments from data exporters by answering questions once to create a central answer bank, and then auto-applying those answers to subsequent questionnaires using AI and NLP technology

“The EDPB’s final guidance on supplementary measures sets clear benchmarks for organisations as they work towards safe and reliable data transfers following the Schrems II decision and the invalidation of the EU-US Privacy Shield,” said Kabir Barday, OneTrust CEO and Fellow of Information Privacy (FIP). “OneTrust’s expanded range of solutions, research, and guidance will help organisations comply with these guidelines and better operationalise their privacy program.”