Published in MA Society of CPAs' SumNews (September 2021)
In the summer of 2020, the Court of Justice of the European Union (CJEU) struck down the 2016 data-sharing agreement between the United States and the European Union, which permitted personal data to be transferred from the EU to the United States consistent with European law, including the General Data Protection Regulation (GDPR). In doing so, the CJEU terminated the EU-U.S. Privacy Shield, the mechanism that many American companies have relied on to import European data to their facilities in the United States. This has significant implications for accountants and their clients that receive data from the EU, as their European counterparts may begin to request greater due diligence review of their data privacy and security operations.
Although the CJEU struck down the EU-U.S. Privacy Shield, it specifically upheld the Standard Contractual Clauses (SCCs), which are EU-approved contractual clauses governing cross-border transfers of data. However, per the CJEU’s decision, it is not enough for European entities to sign the SCCs with their American counterparts. European data exporters must also review the data operations of American data importers to determine that they can comply with the terms of the SCCs and will protect the personal data of EU residents per the requirements of the GDPR.
Following the CJEU decision, but particularly since the start of 2021, there has been an increase in requests for data protection impact assessments (DPIAs) from European organizations that send data to non-EU partners, including the United States. DPIAs are a formal review required by the GDPR when data processing “is likely to result in a high risk to the rights and freedoms of natural persons.” Prior to last summer, for the most part these were limited to specific situations, like the introduction of new technology to data processing or the systemic and extensive evaluation of personal data using artificial intelligence applications. Recently, EU organizations are much more likely to request a DPIA for any data processing that occurs outside the EU, including the processing of information as innocuous as names and physical addresses.
These requests reflect European concerns that American data practices do not comply with GDPR requirements and that without the EU-U.S. Privacy Shield, EU organizations will be liable for the non-compliance of their American partners. DPIAs require organizations to perform a thorough review of their data privacy and security practices, identify risks, and implement appropriate controls to reduce risk levels. They are becoming the primary tool that EU entities use to confirm whether or not their American counterparts satisfy GDPR and SCC obligations.
Accountants that receive personal information from the EU should be prepared to conduct a DPIA of their data processing. Similarly, accountants, as trusted professionals, may receive inquiries about DPIAs from their clients who need to conduct DPIAs themselves. DPIAs involve detailed analyses of an organization’s data privacy and security practices, identifying vulnerabilities, the controls implemented to reduce the risk introduced by vulnerabilities, the parties within the organization responsible for overseeing the data and vulnerabilities, the relevant jurisdictional laws affecting the privacy rights of individuals, etc.
A DPIA can be prepared in a variety of formats, but should address all of the following information in some way:
- The need for a DPIA. Explain broadly why you have identified the need for a DPIA. This can be done in the introduction or the title sheet, noting it is done at the request of a particular client.
- The details of your data processing. The description of your organization’s data processing should not be general. It should rely on specific information about data files, backup files, email usage, electronic device usage, data subject requests, etc. When providing this information, consider the questions a third party would have about your processing. How do you collect, use, store, and delete data? Do you share data with anyone? Does the data include special categories of data? How much data do you collect and use? How long do you keep it?
- Consultation with third parties. In addition to explaining what your organization does with data, you should also explain the third parties your organization consults regarding its data processing. Describe the instructions and interactions you have with clients regarding data processed on their behalf. Describe the extent to which you rely on information security managed service providers and consult with information security attorneys.
- Data privacy and security best practices. A DPIA is an opportunity to review whether your organization employs data processing best practices. Do you properly minimize the data you process and staff member access to it? How do you respond to individual requests to enforce privacy rights? Do you have data processing agreements with your vendors to impose appropriate data privacy and security obligations on them?
- Identification and assessment of risks. There are two risks a DPIA should address: raw risks and controlled risks. Raw risks are the risks involved before any controls are implemented. For example, if everyone in your organization brings their laptops home with them and those laptops contain individuals’ bank account numbers, the raw risk might be quite high, due to the potential for laptops to be compromised by hackers or stolen. However, if your organization has imposed controls like encrypting each laptop and implementing a VPN, the controlled risk associated with that vulnerability is significantly lower.
- Measures that reduce risks. When discussing the controlled risks, you should also provide a detailed explanation of each control you rely on to reduce raw risk levels.
American and European privacy practices have differed for some time, but in the last year, European organizations have become incentivized to bridge that gap. If you are prepared to conduct, and help your clients conduct, a DPIA, your organization will be well positioned to continue business with European partners.
John Weaver is a member of McLane Middleton’s Information Privacy and Security Practice Group. The group assists businesses and private clients to improve their information privacy and security compliance, and address any security incident or breach that may arise. He can be reached at [email protected].