A client requests that you conduct a TIA for data transfers to a US cloud service provider who will (gasp) access the data in the clear.

Do you:

  1. run away and leave a cartoon-like cloud of dust
  2. take their money and laugh
  3. take their money and cry or
  4. other

It was a pleasure to participate in the “#cryandpray: Schrems II transfers IRL” roundtable at the International Association of Privacy Professionals’ Data Protection Congress in Brussels.

We covered several topics, including:

  • How are multinational based in the US approaching cross border transfers of HR data?
  • Will the UK initiative move the needle in the EU, with respect to either: helpful third country assessment information or generally re: risk based?
  • What methodology are companies using for TIAs and risk assessment?
  • How are they approaching TIAs for sub processors and sub sub processors until we reach Middle Earth?
  • Is there anything concrete we can do besides swipe the waterproof mascara and cry and pray?