Contingency planning for scenario two should be in place as soon as possible to ensure that transactions may continue seamlessly. The are alternative solutions to consider will need careful discussion with clients, suppliers, and other companies within a group. Your approach will depend on a number of variables such as the role that you play in information transfers – “controller” or “processor”; the type of information that travels and the type of entity that sends you information. You may need to engage with cloud technology providers who host your data in the EEA. This first immediate step is to review your understanding of your data flows across the organisation.
Elizabeth Denham, the UK Information Commissioner (and chair of the Global Privacy Assembly), at a meeting on 30 September would not comment on the state of “adequacy” or the strength of standard contract clauses for international transfers. It appears that we are expected to take a risk based approach and examine each transfer / contract on its own merits.
A word about the US – we have recently seen challenges to and the demise of both Safe Harbour and Privacy Shield. The current position with the UK regulator is that existing transfers set up to organisations under the old privacy shield scheme may continue but new ones should treat the US as a third country. Transfers to organisations not certified need alternative provisions to protect the rights of UK citizens.