CNIL, the Commission Nationale de l’Informatique et des Libertés, which is France’s Data Protection Authority, publishes framework to deal with post-Schrems II cross border transfers following the European Data Protection Board’s final guidelines on supplemental transfer measures:
- Inventory your transfers (involve: DPO, information systems department, purchasing department, operational managers of services, digital service providers).
- Identify all digital tools used and all vendor contracts. CNIL lists the possible software and tools that could require transfers.
- Document this in an excel spreadsheet of the tools and create a data flow map
- Create an action plan.
- Carry out risk assessments with respect to personal data flows.
- Assess whether the transfers have a legal basis.
- Consider possible solutions following such analysis.
- Identify who is responsible for the transfers.
- Identify the transfer tools put in place.
- Assess the effectiveness of the tool used in relation to the legislation of the country to which the data is being transferred.
Submit the assessment and action plan, which should include the identified action priorities and the resources that can be operationalized to achieve the same, to the relevant organization executive, as well as regularly reviewing data flows outside the EU alongside reviewing their legality, in particular on the occasion of each new purchase of digital services.