The Schrems II decision was announced earlier this week and the EU-US Privacy Shield has been declared to be inadequate.
What is the Schrems II decision?
The decision stems from a long running dispute between Mr Maximillian Schrems and Facebook concerning the transfer of data from the EU to the US. Mr Schrems argues that the US does not offer sufficient protection for the transfer of personal data.
The Court of Justice of the European Union is in agreement due to local laws permitting access to data by US public authorities and insufficiencies in measures for data subjects. The Court has declared its previous decision, that the EU-US Privacy Shield is adequate, to be invalid.
What Impact does this have on me and my school?
This means that you can no longer rely on the Privacy Shield as an assurance of data protection for any third parties you use to process data in the US or who transfer personal data to the US. The Privacy Shield has been swept away as if it never existed and so any transfers to the US are not (and will not be) compliant with the GDPR as there is no longer a recognised safeguard in place to protect personal data in accordance with its provisions.
This decision has significant implications for all organisations, globally, and there are still many unknowns. For instance, we don’t yet know whether the European Data Protection Board (EDPB) will offer some comfort that they will not take action on past reliance on the Privacy Shield nor are we aware of grace periods for alternative action. All eyes are on Standard Contractual Clauses but these too have been questioned and require controllers to carry out more due diligence.
Sign up for a 14-day, no obligation free trial today of 9ine's new Privacy Management Software and be first to have access to 9ine's commentary on the impact of the Schrems II decision on schools.
What is 9ine doing to support our own organisation’s compliance?
We are reviewing the decision and the impact on the processing activities of our clients. Our preliminary view, in the absence of any guidance from the EDPB, is that our clients’ first step should be an assessment of their data processing activities in order to determine which activities rely on the use of US processors, or involve data being transferred to the US as part of a contract with a third party. Reliance on the use of the Privacy Shield, or Standard Contractual Clauses, should then be highlighted in readiness for action.
We are reviewing the generic processing areas that often formulate a school’s data map / record of processing (e.g Admissions, Academic, HR, IT), to identify the primary processors and processing activities of concern. Using this analysis and our knowledge of the judgement, we will provide an overall commentary of the impact of this decision on the processing of personal data within a school.
An individual analysis of your school’s processing activities and third party processors will be available upon request to email@example.com.
We will also draft a response that you can provide to your data subjects should they ask for information on the impact of the judgement on the processing of their personal data at your school.
Future proofing for the ever changing landscape of data privacy and protection.
Our new Governance, Risk and Compliance (GRC) software platform will include a Third Party database of processors and controllers. The App will automate the impact of the above decision, identifying the processing activities at risk and third parties who are affected. Our Transfer Impact Assessments will help you to ensure that the third party vendors that you decide to use are adequately protecting the data that you transfer to them. You will also be provided with a prepopulated list of accredited vendors that have been deemed safe to use by our team of expert consultants.
This is made possible because the data map has been developed as the single point of truth, intelligently linked to all other areas of the App such as DPIA, LIA, Incident Management, Information Rights and the Third Party database.
What happens next...
You will need to update your documentation to reflect the overall position and record the flow of data from collection to destruction. Your data protection regulator may request these details from you so it is important that your documentation is comprehensive and clear.
Creating a data map or inventory is an important step in the journey towards fully understanding what data a school or organisation collects and how it is used. 9ine recommends this step is completed diligently and in consultation with all relevant parties within your school or organisation as this will help to ensure all processes are identified and detailed accurately. To learn more, read our recent blog, How to Effectively Manage Your Record of Processing.
To gain access to 9ine's commentary on the impact of the Schrems II decision for schools, sign up to a no obligation 14-day free trial of 9ine's new Privacy Management Software.
ABOUT THE AUTHOR:
Mark Orchison is Founder and Managing Director of 9ine. He is an experienced management consultant with expertise in data protection, cyber security, technology, project and programme management in education. Mark began his career with Sun Microsystems before moving into management consultancy, where he was the technical consultancy lead for overseeing technology systems for new build schools. Since 2009, Mark has led 9ine in becoming the leading independent K-12 technology and compliance consultancy in the UK. Mark now leads a team of twenty multi-disciplinary and specialist consultants in-house, with a client base expanding across Africa, Middle-East, Russia, India, Asia and the Americas.