Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

Data Protection Impact Assessments: How to Deal with EU Distrust of US Privacy Practices

Written by: John Weaver

Published in MA Society of CPAs' SumNews (September 2021)

In the summer of 2020, the Court of Justice of the European Union (CJEU) struck down the 2016 data-sharing agreement between the United States and the European Union, which permitted personal data to be transferred from the EU to the United States consistent with European law, including the General Data Protection Regulation (GDPR). In doing so, the CJEU terminated the EU-U.S. Privacy Shield, the mechanism that many American companies have relied on to import European data to their facilities in the United States. This has significant implications for accountants and their clients that receive data from the EU, as their European counterparts may begin to request greater due diligence review of their data privacy and security operations.

Although the CJEU struck down the EU-U.S. Privacy Shield, it specifically upheld the Standard Contractual Clauses (SCCs), which are EU-approved contractual clauses governing cross-border transfers of data. However, per the CJEU’s decision, it is not enough for European entities to sign the SCCs with their American counterparts. European data exporters must also review the data operations of American data importers to determine that they can comply with the terms of the SCCs and will protect the personal data of EU residents per the requirements of the GDPR.

Following the CJEU decision, but particularly since the start of 2021, there has been an increase in requests for data protection impact assessments (DPIAs) from European organizations that send data to non-EU partners, including the United States. DPIAs are a formal review required by the GDPR when data processing “is likely to result in a high risk to the rights and freedoms of natural persons.” Prior to last summer, for the most part these were limited to specific situations, like the introduction of new technology to data processing or the systemic and extensive evaluation of personal data using artificial intelligence applications. Recently, EU organizations are much more likely to request a DPIA for any data processing that occurs outside the EU, including the processing of information as innocuous as names and physical addresses.

These requests reflect European concerns that American data practices do not comply with GDPR requirements and that without the EU-U.S. Privacy Shield, EU organizations will be liable for the non-compliance of their American partners. DPIAs require organizations to perform a thorough review of their data privacy and security practices, identify risks, and implement appropriate controls to reduce risk levels. They are becoming the primary tool that EU entities use to confirm whether or not their American counterparts satisfy GDPR and SCC obligations.

Accountants that receive personal information from the EU should be prepared to conduct a DPIA of their data processing. Similarly, accountants, as trusted professionals, may receive inquiries about DPIAs from their clients who need to conduct DPIAs themselves. DPIAs involve detailed analyses of an organization’s data privacy and security practices, identifying vulnerabilities, the controls implemented to reduce the risk introduced by vulnerabilities, the parties within the organization responsible for overseeing the data and vulnerabilities, the relevant jurisdictional laws affecting the privacy rights of individuals, etc.

A DPIA can be prepared in a variety of formats, but should address all of the following information in some way:

  1. The need for a DPIA. Explain broadly why you have identified the need for a DPIA. This can be done in the introduction or the title sheet, noting it is done at the request of a particular client.
  2. The details of your data processing. The description of your organization’s data processing should not be general. It should rely on specific information about data files, backup files, email usage, electronic device usage, data subject requests, etc. When providing this information, consider the questions a third party would have about your processing. How do you collect, use, store, and delete data? Do you share data with anyone? Does the data include special categories of data? How much data do you collect and use? How long do you keep it?
  3. Consultation with third parties. In addition to explaining what your organization does with data, you should also explain the third parties your organization consults regarding its data processing. Describe the instructions and interactions you have with clients regarding data processed on their behalf. Describe the extent to which you rely on information security managed service providers and consult with information security attorneys.
  4. Data privacy and security best practices. A DPIA is an opportunity to review whether your organization employs data processing best practices. Do you properly minimize the data you process and staff member access to it? How do you respond to individual requests to enforce privacy rights? Do you have data processing agreements with your vendors to impose appropriate data privacy and security obligations on them?
  5. Identification and assessment of risks. There are two risks a DPIA should address: raw risks and controlled risks. Raw risks are the risks involved before any controls are implemented. For example, if everyone in your organization brings their laptops home with them and those laptops contain individuals’ bank account numbers, the raw risk might be quite high, due to the potential for laptops to be compromised by hackers or stolen. However, if your organization has imposed controls like encrypting each laptop and implementing a VPN, the controlled risk associated with that vulnerability is significantly lower.
  6. Measures that reduce risks. When discussing the controlled risks, you should also provide a detailed explanation of each control you rely on to reduce raw risk levels.

 

American and European privacy practices have differed for some time, but in the last year, European organizations have become incentivized to bridge that gap. If you are prepared to conduct, and help your clients conduct, a DPIA, your organization will be well positioned to continue business with European partners.

John Weaver is a member of McLane Middleton’s Information Privacy and Security Practice Group. The group assists businesses and private clients to improve their information privacy and security compliance, and address any security incident or breach that may arise. He can be reached at [email protected].

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.