A client requests that you conduct a TIA for data transfers to a US cloud service provider who will (gasp) access the data in the clear.
Do you:
- run away and leave a cartoon-like cloud of dust
- take their money and laugh
- take their money and cry or
- other
It was a pleasure to participate in the “#cryandpray: Schrems II transfers IRL” roundtable at the International Association of Privacy Professionals’ Data Protection Congress in Brussels.
We covered several topics, including:
- How are multinational based in the US approaching cross border transfers of HR data?
- Will the UK initiative move the needle in the EU, with respect to either: helpful third country assessment information or generally re: risk based?
- What methodology are companies using for TIAs and risk assessment?
- How are they approaching TIAs for sub processors and sub sub processors until we reach Middle Earth?
- Is there anything concrete we can do besides swipe the waterproof mascara and cry and pray?