Data flow mapping key to EU–third country data transfers

When the European Court of Justice invalidated the EU–US Privacy Shield earlier this year, organisations were left unsure about how to legally transfer personal data into and out of the EU.

The ruling was made following criticism from the Austrian privacy activist Max Schrems, who argued that the US government’s mass surveillance practices contradicted the protections that the Privacy Shield was supposed to provide.

Data privacy experts – and many organisations – agreed that the most suitable alternative was SCCs (standard contractual clauses), but these require a lot of additional work.

That’s why the EDPB (European Data Protection Board) has issued guidance urging organisations to create data flow maps before transferring any personal data. It notes that although the process can be difficult, it’s “necessary to ensure that [personal data] is afforded an essentially equivalent level of protection wherever it is processed”.

The EDPB adds that organisations must verify the transfer tool that they use and check to see whether the European Commission has made an adequacy decision regarding the country where the information is being shared.

This is something that UK organisations – and those that transfer personal data into the country – must bear in mind. The UK’s Brexit transition period ends on 31 December, and an adequacy decision is still a long way off, so there will be major changes in the way data transfers work.

Creating a data flow map

Thousands of EU businesses relied on the Privacy Shield – as well as countless others outside the EU – so there are huge implications when it comes to alternative methods for data transfers.

Data flow mapping has therefore never been more important. The process helps organisations identify data items (such as names and email addresses), the format in which the data is held, the transfer method (such as by post or email) and the location of the data.

A data map also helps organisations see who has access to the data at any given time and who is accountable for it.

You can find out how to create a map with the help of our sister company Vigilant Software.

Its Data Flow Mapping Tool enables you to create and edit data flow maps thanks to its dynamic drawing tools.

You’ll gain full visibility over the personal data you hold and identify how the data is used, where it’s stored and how it’s transferred.

Mapping your data and complying with the GDPR’s data transfer requirements have never been simpler.

Find out more