Even with ample time to tackle them, remediation programs take serious work. But for organizations impacted by the Schrems II ruling, time is in short supply – the deadline to implement the new Standard Contractual Clauses (SCCs) pursuant to the EU Commission’s requirement under the GDPR is now less than five months away.
Teams still struggling with how to get started may be feeling the pressure. Factor is here to help with Code Reg: our podcast dedicated to regulatory remediation programs. This season is all about Schrems II/GDPR related remediation; in episode two, our experienced internal practitioners pick up where they left off in episode one and finish their discussion of where to begin when it’s already too late.
In this recap of Code Reg episode two, we:
In episode one, we laid out the different approaches organizations may take to vendor outreach: a blanket or “shotgun” style approach, targeted approach or a hybrid approach.
A targeted approach involves selectively reaching out to vendors who will be impacted. So, why would an organization strapped for time choose a targeted approach – which is inherently more labor intensive – over a blanket approach?
In short, it comes down to relationships. In fact, some relationships enable a targeted approach.
“...we've seen some clients come to us based on their procurement organizations, partnering with them, having good systems in place, coming to us with pretty strong intelligence up front that will drive the counterparty outreach. They know their vendors well, they know what their vendors are doing for them well, so in that sense, it's a targeted approach because they know their contracting ecosystem and their vendors really well.”
While solid relationships can make a targeted approach possible, not knowing vendors well can make a targeted approach necessary in some cases where organizations aren’t willing to risk peppering all vendors with generic (and potentially embarrassing) correspondence.
“Targeted approach can also come into play where you don't know your vendors very well so you need to be very prescriptive around how you're doing the outreach. But to do that, you have to understand the data. And if you don't have good access to the data ... then you're going to do a targeted approach because you're going to want to understand how to narrow the scope pretty quickly.”
- Karl Dorwart
So, how can organizations competing with a rapidly approaching deadline narrow their scope as quickly as possible to determine which of their supplier contracts will be impacted and engage in targeted vendor outreach?
“That's going to start with a couple different strategies that we've seen put in place … which are: potentially prioritizing based on their suppliers, definitely looking at the criticality of the contracts to the business ... also, it could be maybe one that's critical to the business, but also the type of data is very sensitive, and they know very relevant for outreach right up front.”
- Karl Dorwart
As ideal as a targeted approach may sound to organizations hoping to avoid uncomfortable conversations, the reality is that it’s just not always possible – particularly with the deadline so near.
“In terms of more of a blanket approach – we've been talking about digging in and trying to understand based on type of vendor, relationship and sensitivity of data, how to narrow the scope. I'm, again, putting myself in the shoes of an organization where there's not a technology uplift; a lot of these questions around type and criticality of vendor and the relationships – it's just too complex, it would take us six to 12 months to even narrow the scope. So, I now feel the need to go with a blanket approach.”
Organizations who simply can’t gain the needed insight from their data quickly enough may be forced to opt for a blanket approach where they reach out to a broad group of vendors at once. But will it work as well as a targeted approach?
“I think it’s an approach that, if well documented, would help to tell a story—a good story—to the regulators. The one concern, however, that I would have with doing a ... blanket outreach: it's going to highlight to parties outside of the organization that your firm may not have a good sense as to where its personal data is.”
Though a blanket approach has unique concerns, it may also have unique benefits.
“[Blanket approach] also does bring some parties back to the table to reengage, and you might find that they're potentially out of scope for the SCC requirements, but not necessarily out of scope for some form of privacy related contracts in place, like amending your DPA. So that might not necessarily come out during a targeted approach ... I do think both approaches have value, but there's also risk.”
- Karl Dorwart
And of course, as our hosts pointed out in episode one, organizations can choose these approaches in parallel. A hybrid approach (where certain vendors receive custom outreach while the rest get something generic) is the third option.
The one thing that all of these approaches have in common is that they’ll ultimately result in greater clarity around data and what steps have been taken at a vendor level. This is just one of the ways that Schrems II/GDPR related remediation can have a lasting impact on organizations.
Schrems II wasn’t the first privacy ruling to place burdens on organizations, and it (almost certainly) won’t be the last. The good news is, these remediation efforts can be leveraged for future success.
Many organizations are implementing (or updating) databases and new technology platforms. It may feel like a heavy lift upfront, but if this work is done with an eye on the horizon, it can pay dividends.
“It's not just doing this activity, but it's actually operationalizing the compliance activity ... This is a great indication for maintaining the robustness of those technology platforms.”
- Karl Dorwart
Although many organizations are completing this current remediation project under the gun, there’s an opportunity to apply a forward-thinking approach.
“If you're doing this reach out and you're collecting various data points, you need to be more forward thinking … Is there additional data that can be collected so that you're somewhat future-proofing yourself, preparing yourself for future regulatory change?”
- David Shaw
And while technology is important to this and future remediation efforts, it’s important to bear in mind that it’s only one piece of the puzzle.
“I think there's an opportunity to look at technologies (your CLM, how are you managing your contracts?) But also, how are you managing your policies, your procedures within your own data landscape?”
- Karl Dorwart
In episode three, we’ll discuss contract lifecycle management and preparing for future regulatory change in more detail. But before any of today’s activities can be leveraged for tomorrow’s successes, an organization has to align around the project at hand.
When a car is out of alignment, it’s tougher to stay on track. It’s the same for organizations – without early alignment, Shrems II/GDPPR remediation efforts will be slower and less productive.
Earlier, we discussed the importance of prioritization if there’s any hope of pursuing a targeted approach. But without a meeting of the minds, there’s bound to be some disagreement within an organization about what constitutes a high-priority vendor.
“The criticality of a vendor, from a financial perspective, from a relationship perspective – that vendor may not be the vendor that poses the most compliance risk for the organization. It may be the vendor that's sitting much lower down in the chain, but nonetheless has access [to] and is processing significant amounts of personal data.”
- David Shaw
This potential friction is just one of the reasons that internal alignment is vital early in the remediation process.
Many organizations who were late to begin their GDPR/Schrems II remediation have faced one large barrier to alignment: budget.
“Where's the budget coming out of, is it the left pocket or the right pocket? At the end of the day, it's the same pair of pants. The company has a requirement, but for a lot of our clients, funding is an issue because of the scale of what's required.”
- Karl Dorwart
For many companies, funding isn’t an issue due to a lack of money, but instead due to the fact that annual budgets have already been set. To avoid the same issue next year, organizations who anticipate their remediation efforts continuing into 2023 should work to align on funding as soon as possible.
Aside from relationships and budget, another key area to align internally is ownership. Establishing who will drive remediation and which stakeholders will play a role in the efforts ensures speed.
“We've seen some instances where procurement is leading the charge, obviously in partnership with privacy and legal, and/or compliance ... We've seen others where it is privacy leading, but they, of course, need the support of the other teams within their corporation because there's legal aspects, obviously, there's compliance requirements. And then there are just the requirements around managing the business relationships. Who knows the vendors the best? It's typically not going to be legal. Sometimes it's even not procurement.”
- Karl Dorwart
Understanding which team is best equipped to spearhead the project based on the organization’s structure and rallying necessary support will make it easier to work together collaboratively.
And sometimes, dedicated project management is the best solution for facilitating alignment.
“Program management is really useful for overall success because of what we talked about in terms of the number of different stakeholders that are going to be involved in any type of regulatory remediation, but especially something as complex as this for organizations.”
- Karl Dorwart
If gaining internal alignment around funding is a particularly prickly issue, some organizations will be able to enjoy a little extra breathing room depending upon their location.
For organizations with operations in the UK that engage in personal data transfers to third countries, there’s a later conformance period. The deadline set by the U.K. Information Commissioner's Office is March 21, 2024.
Despite some confusion in the marketplace post-Brexit, the UK has, in fact, adopted the GDPR and released an addendum to the SCCs to bring them into conformance with the European Union.
Additionally, there’s a separate, standalone agreement that organizations in the U.K. can implement known as the International Data Transfer Agreement (IDTA). For organizations operating solely in the U.K., using the IDTA is likely a more efficient option from a timing perspective.
For organizations who do business in the EU as well as the U.K., a different approach may prove more favorable.
“I think firms may choose to use the standard contractual clauses and then just add the UK addendum, because by implementing the standard contractual clauses, (the EU clauses with the UK addendum) you can essentially achieve compliance under both the EU requirements as well as in the UK and not have to have two separate sets of agreements, if you will.”
- David Shaw
Another important distinction for the U.K. is that (unlike the U.S.) it is deemed by the EU to provide adequate protection for personal data.
“Transfers from the EU to the U.K. do not require the standard contractual clauses. They do certainly require compliance with the other articles of the General Data Protection Regulation, but one does not need to go through the exercise of implementing standard contractual clauses if you're transferring data into the U.K.”
- David Shaw
For even greater insight, listen to the full conversation wherever you get your podcasts and subscribe for more Schrems II/GDPR-related remediation insights throughout the season.