27th December 2022 is the deadline in which a new mandate by the European Commission* will be enacted, requiring all existing contracts by businesses within the EU and EEA to be updated in compliance with Standard Contractual Clauses** (SCC). The Commission issued this new directive, referred to as ‘Schrems II,’ last year*** (4th June, 2021). As of next month, all EU and EEA organisations are to conduct individual assessments of all data transfers to non-EU countries as part of new SCCs.
This judgement follows the Court of Justice of the European Union’s (CJEU) decision in 2020 to reassess how companies distribute their data outside of EU and EEA regions. These are pre-approved contract clauses which were reassessed considering the General Data Protection Regulation’s (GDPR) obligations involving data protection and distribution to international countries. Ahead of the looming deadline, Charles Cao, senior director of global strategy at Conga, explains how UK business leaders should approach this transition:
“The Schrems II decision has forced organisations to revisit the way they approach international data transfers. Leaders should view these changes as an opportunity to reassess their business processes and establish compliant contracts in advance. The European Data Protection Board’s (EDPBs) final guidance offers a clear roadmap for ensuring that personal data transfers are lawful, satisfy the accountability principle under Article 5(2) of the GDPR, and make the necessary operational or commercial changes.
“There are two key steps organisations must follow to avoid negative repercussions following the upcoming deadline. The first is to establish processes that implement the new SCC regulations. This will require a comprehensive training and communications plan to ensure these new processes are clearly understood, enforced, and fully integrated into normal operations – including executing transfer impact assessments and navigating cross-border data flows.
“The second step is to rectify existing contracts. However, most enterprises will likely have multitudes of contracts in need of updating to reflect the SCC changes. Doing so manually would be both inefficient and time-consuming. Not to mention, taking on the task of identifying and locating the hundreds of contracts that need to be updated would be a challenge on its own. Teams should be able to cross-examine the contents of contracts and extract relevant information at pace, ensuring all documents remain fully compliant, leaving little-to-no margin for error.
“Ideally, businesses should maximise the efficiency of every task across the contract and document lifecycle and ensure they minimise their risk throughout this period. There are several digital tools and contract lifecycle management solutions available that can help with this and increase the value of future contracts with standardised processes, pre-built templates, and further automation. In fact, artificial intelligence (AI) can isolate unstructured texts within commercial agreements and consolidate it into prepared data, ready to be reviewed by a team member to validate its data accuracy.”