EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can help
1. Define a clear and consistent process
Following Schrems II, TCLAs are a standard compliance document that organizations must keep up to date. Whatever the size of the organization, working with the increasing volume of international data transfers outside of the European Economic Areas means that assessments are required for an ever-increasing number of jurisdictions.
Organizations invariably need this information at short notice, for example, to close a contract, select a service provider or conclude Standard Contractual Clauses (SCCs). TCLAs are crucial input for Data Transfer Impact Assessments (DTIAs), the process by which the business assesses the risks of a particular cross-border data transfer. A delay with a DTIA can delay business operations and ultimately impact revenue.
Defining the scope and standardizing the process around TCLA creation will help you to manage risk consistently and improve the turnaround time for your TCLAs. In turn, this will help expedite business processes that are contingent on approvals granted based on TCLA data.
When defining the TCLA process, organizations should consider the best approach for mapping foreign legislation and by whom this is done. One way is to identify which legislation applies to a specific data importer on a per-transfer basis. This is very costly and likely to lead to repetitive findings across similar TCLAs.
Other organizations will opt for a more generic assessment of the legislation. Additional time will be spent on determining which sections are relevant for a specific transfer when performing a DTIA, but the re-usability of the TCLA leads to greater consistency and cost efficiencies.
Organizations can rely on their in-house legal teams to conduct the legislative research, or they can utilize lawyers from the local jurisdictions to perform the Country Law Assessment (CLA). The first option gives greater consistency, but less local knowledge could lead to potentially inaccurate assessments. The second option provides robust local knowledge but could result in a lack of consistency across assessments. This could be problematic, as a divergence from your central requirements could impact the applicability of the assessment. Having a defined, standardized process and questionnaire will help prevent such consistency issues.
2. Make the TCLA easy for the business to apply to their DTIA
To be applicable to your DTIA, your TCLA should contain all requirements as stated in:
- The Schrems II ruling
- The European Data Protection Board (EDPB) guidelines on supplementary measures¹
- The EDPB guidelines on the European Essential Guarantees²
These requirements are complex, so designing your assessments to be easily applied by the business will be one of your key priorities and may include the use of technology to make the application process more user-friendly. Business teams won’t want to read extensive analyses, so striking a balance between having sufficient information and avoiding unnecessary “legalese” will be crucial.
Adopting a pragmatic approach, both for your organization’s legal team and for your business, is important.
Given the guidance cited, your TCLA should be:
- Comprehensive: contain all legislation so that the assessment is applicable for any transfer sent to the country in question
- Aligned: address privacy principles and European Essential Guarantees
- Specific: an assessment of a country’s practices
- Risk based: an assessment of inherent risks involved within the jurisdiction
3. Make the TCLA readily available
To save time and reduce friction in your data transfer process, your TCLAs must be made available to the business when it needs them. They can easily be made available via links within the process documentation your business follows to conclude contracts and SCCs or to carry-out DTIAs. Having the TCLAs readily available offers several advantages.
For example, if sensitive data (such as health or financial data) is involved in a transfer and you already know that relevant governments have far-reaching surveillance powers, then, at a minimum, you can recommend proper encryption for the local control environment or as an enforceable measure in your SCC. This step will allow you to hold the importer accountable.
This information should be available at the pre-contract stage when selecting a service provider. It will help facilitate a deep dive into the data as necessary, as well as into specific jurisdictions, and factor that into the decision.
From a supplier’s perspective, you clearly enhance your chance of being selected by proactively demonstrating that your jurisdiction of processing is meeting the necessary requirements, or that you have provided mitigation measures.
EY member firms do not practice law where it is not permitted by local law or regulation.