The rules relating to sharing data with any company outside the EU have recently changed and the previously accepted standard contract clauses are no longer considered adequate. If you share data with any company outside the EU, you need to ensure that you have completed a risk assessment as well as checking that your contract meets the standard clauses.
The EU Data Protection Board (EDPB) has issued ‘an FAQ’ on the invalidation of the Privacy Shield and the implications for Standard Contractual Clauses (SCCs). This guidance still applies to UK controllers and processors.
It is important to recognise that there is no grace period for companies to act and third-country transfers are currently illegal.
There is no guidance on how companies should ensure that data transferred is now safe and no information to help companies complete a risk assessment. So, until more guidance is provided, we are suggesting the following approach:
This is a complex area, but we can help. We have produced a standard risk assessment template you can use and will keep you updated.