During the last Privacy Focus Group meeting, the VBO-FEB explained the functioning and the advantages of the interactive DPO Connect platform which was set up by the Data Protection Authority (DPA) in collaboration with DPO-Pro and the Vrije Universiteit Brussels (VUB) with the support of the European Commission.
International Data Transfers – Acting on Schrems II & Brexit
25 March 2021 – Cyber Security Coalition
Practical advice on international data transfers
The 2020 Schrems II court decision and 2021 Brexit raised many questions about international data transfers. Even whether they are still possible! Look no further than here for true ‘hands-on’ legal and technical tips and advice.
Anneleen Van De Meulebroucke (Eubelius) cut through the legal fog with clear and precise definitions of what constitutes a data transfer (e.g. it includes remote access to personal data stored in the EAA area) and what risks are involved. Schrems II boils down to worries about European personal data getting less protection than guaranteed in Europe. The GDPR already discusses safeguards, including decisions about the adequacy of protection provided, standard contractual clauses (new version in draft) and possibly derogations.
Schrems II adds to this the obligation for companies to check whether supplemental measures are necessary, decide which measures will work (do document this process!) and follow up whether the measures are truly effective once in place. How? Learn about the EPDB recommendation on a six ‘step-by-step’ approach, including some pointers about possible supplemental measures. Furthermore, an example of a ‘real life’ case on the use of AWS, brought to French ‘conseil d’état’ for evaluation, is provided.
Some remarks on (future) aspects of international data transfers to the United Kingdom conclude this exquisitely practical presentation.
In an equally practical vein, Bart van Buitenen (Cranium) discussed Post-Schrems II supplementary measures from a technical perspective. Sadly, he can’t but conclude that based on EPDB guidance ‘full compliance for most common cases […] is currently impossible. However, taking no action is not a viable option. Learn about the use cases as discussed in the EPDB guidance, with related tips about measures that work. There is also a quick overview of additional technical measures as suggested in the draft of new standard contractual clauses.
Point of fact is that in the post-Schrems II era data transfers will not cease. A risk-based approach is crucial and Bart van Buitenen shares his experience-based views on measures that can help reduce the risk. Once again a real help.
Clearly, dealing with the fall-out of Schrems II will be a long-term effort. This session of the Privacy Focus Group provides a valuable and practical primer and a concise starting point for acquiring more insight.
Other blog posts
During the first in-person meeting since the Corona pandemic broke out, the Privacy Focus Group engaged into a lively discussion on the effectiveness and strategic role of the DPO and addressed the question whether one single person can wear the hat of both CISO and DPO.
How do you develop cyber security awareness? The Cyber Security Coalition and the CCB created a training programme that you can apply in your own organisation.
Though still very much a work in progress, with no enforcement expected before 2024, organizations would do well to start evaluating the impact of the draft NIS.2 directive proposal on their current security posture. The presentation of Mr. Pieter Byttebier (Centre for Cyber Security Belgium) is a very good start for this exercise.
The GOVERN&LAW experts share the do's and don'ts when setting up a whistleblowing system in your organization and demonstrate how such an effective and robust system can help you self-detect incidents before they become scandals.