In the summer of 2020, the Court of Justice of the European Union (CJEU) struck down the 2016 data-sharing agreement between the United States and the European Union, which permitted personal data to be transferred from the EU to the United States consistent with European law, including the General Data Protection Regulation (GDPR). In doing so, the CJEU terminated the EU-U.S. Privacy Shield, the mechanism that many American companies had relied on to import European data to their facilities in the United States. This has significant implications for lawyers and their clients that receive data from the EU, as their European counterparts may begin to request greater due diligence review of their data privacy and security operations.
Data protection impact assessments (DPIAs) are one of the primary due diligence tools used by European organizations that send data to non-EU partners, including the United States. DPIAs are a formal review required by the GDPR when data processing “is likely to result in a high risk to the rights and freedoms of natural persons.” Increasingly EU-based organizations are requesting DPIAs for personal data transferred outside the EU to confirm compliance with the GDPR by their partners.
Lawyers that receive personal information from the EU should be prepared to conduct a DPIA of their data processing. Similarly, lawyers, as trusted professionals, may receive inquiries about DPIAs from their clients who need to conduct DPIAs themselves. DPIAs involve detailed analyses of an organization’s data privacy and security practices, identifying vulnerabilities, the controls implemented to reduce the risk introduced by vulnerabilities, the parties within the organization responsible for overseeing the data and vulnerabilities, the relevant jurisdictional laws affecting the privacy rights of individuals, etc.
A DPIA can be prepared in a variety of formats, but should address all of the following information in some way:
- The need for a DPIA. Explain broadly why you have identified the need for a DPIA.
- The details of your data processing. The description of your organization’s data processing should not be general. It should rely on specific information about data files, backup files, email usage, electronic device usage, data subject requests, etc. When providing this information, consider the questions a third party would have about your processing.
- Consultation with third parties. In addition to explaining what your organization does with data, you should also explain the third parties your organization relies on in its data processing.
- Data privacy and security best practices. You should view a DPIA as an opportunity to review and explain your organization’s use of data processing best practices.
- Identification and assessment of risks. There are two risks a DPIA should address: raw risks and controlled risks. Raw risks are the risks involved before any controls are implemented, like encrypting laptops, implementing multifactor authentication, etc.
- Measures that reduce risks. When discussing the controlled risks, you should also provide a detailed explanation of each control you rely on to reduce raw risk levels.
- Analysis of Information Privacy and Security Laws. A DPIA should include an analysis of the impact the relevant jurisdictional privacy and security laws may have on the data processed, g., New Hampshire’s breach notification law, RSA 359-C:19-21, the federal Gramm-Leach-Bliley Act, etc.
American and European privacy practices have differed for some time, but in the last year, European organizations have become incentivized to bridge that gap. If you are prepared to conduct, and help your clients conduct, a DPIA, your firm will be well positioned to continue business with European partners.