In 2021, we saw an increase in international expansion and need for compliance certifications, and big changes in the privacy landscape. As we near the end of the year, European organisations should be thinking ahead to the compliance challenges and opportunities that are coming in 2022. It’s always best to be proactive in strategising for future regulations, standards, and policies — even if you feel your business is currently running with all systems fully operational.
Here are a few of the changes, trends, and predictions in the world of European business that I believe will make a big difference throughout 2022.
GDPR and the New Standard Contractual Clauses (SCCs)
Last year’s court ruling that the EU–U.S. Privacy Shield framework is no longer a valid data transfer mechanism under the General Data Protection Regulation (GDPR) brought about new standard contractual clauses (SCCs), which were approved in June 2021. These were introduced to replace the old SCCs (last updated in 2010) and reflect GDPR data protection requirements. Any new contracts signed after 27 September 2021, are required to use these new SCCs. For contracts signed before that date, organisations have until 27 December 2022, to update the terms to make sure all data transfers are subject to the proper safeguards.
If your business exports European personal data to the U.S., the European Data Protection Board (EDPB) recommends taking the following actions:
- Create data mapping documents that outline exactly where all data is being transferred to outside countries.
- Identify your data transfer tool, likely the new SCC (there are a few other options, including binding corporate rules [BCRs]).
- Determine the effectiveness of laws/practices that apply to the data being transferred in the outside country.
- If there is an absence of GDPR-equivalent protection, determine appropriate technical and contractual measures to enhance the level of data protection.
- Carry out any formal procedural steps necessary for those measures to be effective in data transfers.
- Continuously monitor the level of protection given to the data transferred to the outside country and suspend transfer if protection becomes insufficient.
Governments on both sides of the Atlantic acknowledge that making you, the data exporter, carry out assessments of security frameworks in non-European countries can be a complex exercise. That’s why the EU and U.S. are currently working on a replacement agreement for Privacy Shield, which could be finalised by early 2022.
SOC 2 Continues to Gain Popularity
It’s undeniable that SOC 2 assessments are rapidly growing in popularity across Europe. One reason for this is that SOC 2 reports have become established as the information security gold standard for selling any type of “X-as-a-service” to businesses based in the U.S. While ISO 27001 is the security standard in much of Europe, U.S. businesses are typically less willing to accept this certification and require a SOC 2 report instead.
In addition to aiding expansion into the U.S., certain sectors in Europe (mainly in the UK) have begun to outright require SOC 2 reports as a prerequisite for doing business. These sectors include banking, insurance, and central government. The fact that UK agencies have begun necessitating SOC 2 for vendors or primes looking to engage in government contracts should be seen as a significant development and potential indicator of future growth of SOC 2 in Europe.
If your business is looking to expand internationally or get ahead of the regulatory curve by obtaining a SOC 2 report, you should start by contacting an accredited, U.S.-based Certified Public Accountant (CPA) firm governed by the American Institute of Certified Public Accountants (AICPA). COVID-era remote SOC services have been helpful for reducing certain expenses, such as travel, that go along with onsite work. However, I believe it’s possible that the AICPA could bring back onsite fieldwork requirements in 2022. Talk to a firm capable of high-quality remote and onsite audits, which provides versatility to keep you covered no matter what.
The Data and Data Governance Acts
As Europe strives to improve its assorted data-sharing mechanisms, there are two initiatives introduced by the European Commission that have been making their way through government: the Data Act and the Data Governance Act.
The Data Act is focused on rights related to the access to and use of data. This includes delineating rights for non-personal internet of things (IoT) data, which is largely regulated through private contracts at the moment. For example, who owns data generated by an industrial machine in a warehouse?
The proposal also aims to refine data portability rights such as those outlined under GDPR Article 20, which was designed to allow consumers to easily switch their data over to a new service provider. The Data Act would provide more detailed technical specifications to make this process more viable, which could theoretically create a more competitive business market for said data.
The Data Governance Act, on the other hand, aims to increase the availability and sharing of public sector data that could be used to power cutting-edge technologies such as artificial intelligence (AI). It also proposes a new model for data intermediation in which consumers would be able to exercise their GDPR rights by sharing data with trusted companies via digital platforms or applications.
While the Data Act and Data Governance Act are still going through the legislative process, it’s worth keeping an eye on these two initiatives that could have major impact on the future of commerce in Europe. Ultimately, they could lead to the creation of a “genuine single market for data” which would have far-reaching implications for business and compliance alike.
Strengthening Your Business’s Compliance Program
Ensuring the privacy of consumer data and the protection of information will continue to be of utmost importance for your organisation in the coming years. If you’re looking to fine tune your business’s compliance program in order to abide by the latest regulations, while also winning new business, A-LIGN can help. Our expertise spans privacy impact assessments, GDPR-related services, and SOC 2 examinations. We have everything needed to take your compliance program to new heights in 2022.
If you have any questions or if you would like to learn more about undergoing a cybersecurity or compliance assessment, please reach out to one of A-LIGN’s experienced assessors today.