May 2023 Update: The Irish Data Protection Commission has ruled that the SCCs do not provide sufficient protection for the transfer of EU personal data to the US. Because of this ruling, we are hopeful that EU regulators will deem the DPF adequate for transatlantic personal data transfers by the October 2023 deadline. We expect that companies will need to use the DPF for transatlantic personal data transfers once it is deemed adequate. The article “Considerations for Certifying Under the EU-U.S. Data Protection Framework (DPF)” contains a timeline and potential advantages and disadvantages that will continue to be relevant, and companies should be aware as they weigh their options.
As most legal/privacy professionals know, regulations related to privacy concerns are in a constant state of evolution. European Union (EU) organizations face an evolving patchwork of privacy compliance rules and regulations for transferring data across international borders. Since the General Data Protection Regulation (GDPR) was enacted, we have seen updates to the privacy laws in the enactment of the Privacy Shield Program followed by the European Union Court of Justice invalidating it in 2020, the EU’s accepted Standard Contractual Clauses getting updated in September of 2021 (SCCs), and the United Kingdom (UK) international data transfer agreement (ITDA) and UK addendum in February of 2022. Just earlier this month, President Biden announced through a new Executive Order a new EU-US Data Privacy Framework that may lead toward the US getting an adequacy decision. With these major changes, companies must ensure they are working with their data processors to have the appropriate contractual obligations in place.
Before joining AuditBoard as the Vice President, Head of Legal, and Data Protection Officer, I worked on the legal teams for several large technology companies, including Workday, eBay, and Adobe, and I was the Data Protection Officer at Rakuten when GDPR came out. In these roles, I’ve learned best practices related to privacy addendums in contracts that will be helpful as the new SCC deadline approaches at the end of December 2022, and I want to share a couple with you.
I’ll preview the ending — we’ve created an addendum our customers can sign to maintain compliance without having to renegotiate your underlying contract. The addendum is available on our website, and we encourage you to reach out to your account representative if you have questions.
An Update on Privacy-Related Regulatory Changes
Since 2020, two big changes have happened related to privacy laws in the EU. First, the EUCJ declared the US’s Privacy Shield Program to be invalid, and then they created a new set of Standard Contractual Clauses. These two changes mean that US companies doing business with EU partners must update all existing and future contracts. In the end, the changes are not huge, but the regulations require new clauses describing how data can be transfered by partner organizations, and different modules outline how the relationships.
It is ultimately the controller’s (you as the data owner) responsibility to ensure they are transferring data properly. AuditBoard as a processor (the vendor who holds your data), offers a standard service to all of our 1500+ customers, so we need a unified approach to ensure we can continue to scale our business while keeping “privacy by design” in focus.
Best Practice: Keep Track of Your Data Processors
Before updating your contracts, you need to assess which vendors to review. A proven approach to this assessment is maintaining a record of the data that is shared with your processors in a third-party risk management system. Using this type of technology will allow you to know which processors to prioritize when updating Standard Contractual Clauses, data processing agreements, and data export mechanisms when regulatory changes occur.
If the evolution of privacy continues at the current pace, companies will constantly have to revisit how data is transferred between countries, especially US-based companies doing business with EU organizations. As an example, the Executive Order issued by President Biden could trigger another round of updates and recertification.
We are all trying to ensure data is protected with a clear and proper understanding of how to share data between two entities. Standard Contractual Clauses and the UK addendum are the focus of the updates now, but forward-thinking companies know more changes will come and that they need a sustainable solution that accounts for future needs and practices. Managing vendor contracts and privacy concerns as a third-party risk closes the gap.
Best Practice: Use a Standardized Addendum
Keep the process of updating contracts as simple as possible. No one wants to go through the time-consuming steps of renegotiating contracts or go through the entire procurement effort when a standardized amendment that patches the privacy updates is all we really need. I’ve unfortunately seen many data processing addendums from customers that include concepts attempting to account for every possible way of processing data. While this might make sense in some cases, most data processing scenarios do not apply to every vendor.
To speed up the document review, companies should connect with vendors to see if the vendors have updated their data processing addendums because they will have identified the key components of what they do with your data and how their systems process it. Applying a tailored approach in defining the scope of a data processing addendum will dramatically speed up the contract updates. I’ve seen it from both a customer and vendor prospective.
Remember, a level of partnership is required in working through these updates. Privacy is a shared responsibility; both organizations must be clear about how data is transferred and leveraged. We have even supplied a pre-signed, prefilled SCC amendment that they can execute and send back to us to ensure compliance. Other trusted technology companies like Workday, Salesforce, and Okta are using a similar method to make the update process as seamless as possible.
Take Action by December 2022
We have a looming deadline of December 27, 2022, when the Standard Contractual Clause updates need to be in place. If you have not started working through the update process with all your vendors, it’s not too late to start. The two best practices above will go a long way to easing the burden for everyone involved. AuditBoard has put policies and standards in place to keep your data safe. We aligned our security and privacy commitments to our current customer’s expectations and regulatory requirements. Our goal is always to maintain the level of partnership and trust we have worked to establish over the years. As mentioned, our approach has been to add a contract amendment tailored to the specific services that AuditBoard provides instead of adding language covering scenarios that would never exist. We have tested this amendment with our customers, with no further changes needed.
If you are a current AuditBoard customer and are unsure of your compliance status, you can sign this addendum to maintain compliance without changing your underlying contractual structure. Reach out to your account representative with questions or for further details.
Anthony Plachy is AuditBoard’s Vice President of Legal and Data Protection Officer, and leads the growing legal team. Prior to joining AuditBoard, he was a Director, Associate General Counsel at Workday leading a large global contract operations team and negotiating enterprise deals for large organizations. Anthony has also focused on commercial and privacy at other large tech companies such as eBay, Adobe, and Rakuten Advertising. Connect with Anthony on LinkedIn.