Though still very much a work in progress, with no enforcement expected before 2024, organizations would do well to start evaluating the impact of the draft NIS.2 directive proposal on their current security posture. The presentation of Mr. Pieter Byttebier (Centre for Cyber Security Belgium) is a very good start for this exercise.
International Data Transfers – Acting on Schrems II & Brexit
25 March 2021 – Cyber Security Coalition
Practical advice on international data transfers
The 2020 Schrems II court decision and 2021 Brexit raised many questions about international data transfers. Even whether they are still possible! Look no further than here for true ‘hands-on’ legal and technical tips and advice.
Anneleen Van De Meulebroucke (Eubelius) cut through the legal fog with clear and precise definitions of what constitutes a data transfer (e.g. it includes remote access to personal data stored in the EAA area) and what risks are involved. Schrems II boils down to worries about European personal data getting less protection than guaranteed in Europe. The GDPR already discusses safeguards, including decisions about the adequacy of protection provided, standard contractual clauses (new version in draft) and possibly derogations.
Schrems II adds to this the obligation for companies to check whether supplemental measures are necessary, decide which measures will work (do document this process!) and follow up whether the measures are truly effective once in place. How? Learn about the EPDB recommendation on a six ‘step-by-step’ approach, including some pointers about possible supplemental measures. Furthermore, an example of a ‘real life’ case on the use of AWS, brought to French ‘conseil d’état’ for evaluation, is provided.
Some remarks on (future) aspects of international data transfers to the United Kingdom conclude this exquisitely practical presentation.
In an equally practical vein, Bart van Buitenen (Cranium) discussed Post-Schrems II supplementary measures from a technical perspective. Sadly, he can’t but conclude that based on EPDB guidance ‘full compliance for most common cases […] is currently impossible. However, taking no action is not a viable option. Learn about the use cases as discussed in the EPDB guidance, with related tips about measures that work. There is also a quick overview of additional technical measures as suggested in the draft of new standard contractual clauses.
Point of fact is that in the post-Schrems II era data transfers will not cease. A risk-based approach is crucial and Bart van Buitenen shares his experience-based views on measures that can help reduce the risk. Once again a real help.
Clearly, dealing with the fall-out of Schrems II will be a long-term effort. This session of the Privacy Focus Group provides a valuable and practical primer and a concise starting point for acquiring more insight.
Other blog posts
The GOVERN&LAW experts share the do's and don'ts when setting up a whistleblowing system in your organization and demonstrate how such an effective and robust system can help you self-detect incidents before they become scandals.
In this GDPR anniversary webinar, three privacy experts focus on the challenges they face when assessing and implementing government measures adopted in the fight against COVID19. The Corona pandemic has risen awareness of the importance of privacy, not only in our private life but also in the employer-employee relationship, and the need for a broader democratic testing of privacy threatening technologies.
One main objective of the European Cyber Security Act is to inform business and consumers about the security of ICT products, processes and services, through certification schemes. This webinar provides solid information about the present status of the Act's implementation.
The webinar teaches you that information security must be handled in a structured way. Three Coalition members explain how frameworks such as CISM, NIST and ISO 27001 certification can support you in your role as CISO.