The European Data Protection Board (EDPB) adopted recommendations to assist data exporters with evaluating countries to ensure that they are adhering to the bloc’s level of protection under the EU General Data Protection Regulation (GDPR) and finding further measures as needed.
“Supervisory authorities will continue exercising their mandate to monitor the application of the GDPR and enforce it,” the EDPB said in its recommendations. “Supervisory authorities will pay due consideration to the actions exporters take to ensure that the data they transfer is afforded an essentially equivalent level of protection.”
While mapping all transfers of personal information to third countries can be a challenging exercise, the board recommends that exporters know their transfers as a first step. Then, exporters should verify the tool on which their transfer depends if the European Commission hasn’t decided that the country, region or actor to which they are transferring data is adequate.
After that time, the board recommends that exporters find if anything in the legislation or practice of the third country could hamper the effectiveness of appropriate security measures of the transfer tools that they are depending on in the context of their transfers.
If their assessment finds that the third country’s law hampers the effectiveness of the Article 46 GDPR transfer tool they use or plan to use, the board recommends that exporters find and implement supplementary measures.
The board identified five main Article 46 GDPR transfer tools. Those include binding corporate rules, standard data protection clauses, certification mechanisms, codes of conduct and ad hoc contractual clauses.
As another step, the board recommends that exporters take any formal procedural measures that may be needed for the implementation of an exporter’s supplementary measure.
And, at appropriate points in time, the board also recommends that exporters take another look at the level of protection for the information they transfer to third countries and see if there have been, or will be, any changes that could impact it.
While the European Commission said in a June report that the GDPR is “an overall success,” additional actions are required — particularly among small- to medium-sized businesses (SMBs) — to promote what one top official called “vigorous enforcement.”