I do not consider myself a risk-averse, but definitely, vouch for risk assessments. Simply, we all get the consequences of our actions, so why not to address the things adequately?. I reviewed the alternative transfer tools available to keep on transferring personal data to the U.S. The derogations are limited, and there is no room for manoeuvres since all U.S. businesses must comply with their national laws, e.g., FISA 702, E.O. 12.333, PPD 28, Cloud Act.
Useful? Embed this infographic on your website.
This puts us all under tremendous pressure. However, we can not change American laws, and to try to hide the sun with broad interpretations of the law or compliance tricks which are likely to backfire. Thus, I want to explore one real solution; the transfer of personal data OUT of the U.S. or any other place conducted by the US.
Most businesses use Microsoft Office 365, Google Docs, Google Analytics, Facebook Pixel, Azure, AWS, Slack, Trello, MailChimp, Salesforce, MS Dynamics, or similar; thus, not sending personal data and stopping the usage of their products or services may seem impossible (“crazy talk”).
Handling changes demand time and effort. Still, it’s more sensible than deciding to ignore the law. Your business can get transfers suspended or prohibited – check the case (point 121). Have you calculated your daily losses because of unattainable access to your data? Under that scenario, how long would you be able to keep on doing business? How many months could you handle without revenues? Fail to comply with the law damage your brand, reputation; but also, risks your business and the jobs you provide. Indeed not something to take lightly.
Now, we are all under a transition phase, nobody will suddenly get fully compliant, but that doesn’t mean we shouldn’t be taking steps forward. Start by identifying which personal data your process, it’s flow, the international transfers, the suppliers, your contracts in place, and how you plan to comply with your responsibility economically and smartly.
In case you can not anonymise all your data, or use the US services as storage, only. You should check the above infographic. You can either use providers with infrastructure in the EEA region or situated in countries with an adequacy decision – as far as you can verify the GDPR protections are respected.
Or, you can use an open-source software solution and set it up on-premise or in an independent EU Cloud Provider. Or create your own IT solution (your own software) and set it up on-premise or in an independent EU Cloud Provider.
The above should be the general options that any management should be considered in light of the court decision. Stay ahead.
On the 10 Nov 2020: The EDPB provided recommendations on measures that supplement transfer tools to ensure compliance with EU level of protection of personal data. – Open for feedback until the 30th of November.