Five Steps to Comply With the New Standard Contractual Clauses

July 22, 2022

On June 4, 2021, after much anticipation, the European Commission issued a new set of Standard Contractual Clauses (SCCs) for the international transfer of customer data. These clauses are part of an ongoing effort to safeguard the personal data of European Union citizens as the data privacy environment continues to rapidly change. To comply with the EU’s General Data Protection Regulation (GDPR), any businesses transferring EU customers’ personal data outside of the European Economic Area must use the new SCCs for all new data transfer agreements.

 

The next deadline is now approaching rapidly. By December 27, 2022, all contracts using the old SCCs must be updated to comply with the new standards.

 

Five steps to comply with the new SCCs

Penalties for non-compliance are steep and costly.

 

Fines for violations of the GDPR can cost companies tens of millions in revenue and result in a loss of consumer trust and loyalty — a fear that keeps many compliance officers and lawyers up at night.

 

Here are five key steps to take while preparing for the December deadline, as discussed in the Evisort webinar on the Impact of the Updated Standard Contractual Clauses on Contracts with data privacy expert Debbie Reynolds:

 

1. Audit and update your contracts. Compliance and legal teams should all know by now that they need to update all contracts based on the old SCCs by this December. In order to meet the deadline, however, your team first needs to gauge how many contracts you need to update, find out where they are housed, and identify and update any outdated clauses.

While you’re at it, you should also look for and replace any provisions that were already non-compliant with the prior SCCs. With the stakes so high, it is important to leave no stone unturned.

If you’d like more guidance on how to remediate your data transfer agreements, see our earlier blog post for additional tips on updating contracts to comply with the new SCCs.

 

2. Re-examine arrangements with third-party data processors. The first-party data holder, also known as the data owner or data controller, is the party ultimately responsible for making sure that they have customer consent to collect the data, and that data collected from consumers (known as “data subjects”) is properly stored, encrypted, and secured. Even when sharing that data with third parties, the onus is still on the data controller to ensure the data is safe. If a data breach occurs, the controller could still be held responsible.

That’s why due diligence is so important when negotiating contracts with data processors. You need to be certain that they’ll take data security as seriously as you do. Debbie Reynolds suggests asking questions such as:

  • How do you describe your data transfer processes?
  • What protections are you going to put in place to protect the data?
  • How can you prove you are “walking the talk?”

If the vendor can't comply with applicable data privacy laws, then you may need to get a new data processor.

3. Examine the protections you promise to consumers. The new SCCs demand that data be protected. There’s a limit, however, to what businesses can do to shield customer data in the face of conflicting governmental inquiries. Consider the US Patriot Act, which expands law enforcement’s surveillance and investigative powers. Make sure to outline the technical steps you and the processor will take to protect the data in the contract, and conduct a realistic assessment of the data privacy risks associated with doing business in a particular country or region.

4. Streamline contract creation and amendment. In the past, if you wanted to add new parties to a data transfer agreement, you had to create a new contract every time. However, the new SCCs, for the first time, contain a “docking clause” that expressly enables the parties to add new data importers or exporters throughout the lifecycle of the contract. Additionally, the new SCCs adopt a modular approach to cater to various transfer scenarios:

  • Controller to controller
  • Controller to processor
  • Processor to processor
  • Processor to controller

This is a big change, as the old SCCs only contemplated controller-to-controller and controller-to-processor data transfers. These updates provide long-awaited flexibility.

5. While you can’t change the SCCs, consider adding additional data protections. When issuing the new SCCs, the European Commission acknowledged that parties might need to implement supplementary measures to ensure adequate data protection. The newly issued SCCs allow parties to add other clauses or additional safeguards, as long as they do not contradict the SCCs or reduce the rights or freedoms of data subjects.

Evisort makes it easy to comply with the new SCCs

Manually scanning contracts to search for outdated data privacy language is a time-intensive, laborious process.

Evisort’s best-in-class contract AI helps legal and compliance teams streamline contract review and remediation. Evisort quickly turns large sets of documents into searchable data, giving stakeholders immediate visibility into contracts and providing answers to critical questions about what’s in the agreements.

Using Evisort, legal and business teams can easily:

Upload and fully index thousands of contracts within just hours, without IT support. Evisort easily integrates with a range of widely used business systems, enabling teams to work on their contracts without document migration or IT support. Whether you integrate with external storage, upload files directly, or both, Evisort centralizes your contracts in a single, secure, accessible repository.

Make your contract data instantly searchable. Instead of paying your paralegal(s) to spend hours pressing “Control + F” while looking for noncompliant language, use Evisort to immediately extract key data from your contracts — such as outdated data privacy clauses. You can quickly see which contracts you need to update and which contracts are expiring in the upcoming months. This efficiency helps you save both money and time on outside counsel or consultants.

Automate the creation of contracts that are compliant with new regulations. After answering a few questions about your data privacy agreements, such as the relationship between the parties and the governing law for each contract, you can use Evisort to create uniform contract and clause templates. This saves companies the time and headache of manually drafting every new contract from scratch, or painstakingly updating one clause at a time throughout a large portfolio of contracts.

Enforce consistent contracting processes. Evisort helps you manage the approval workflow and assign team members to review specific agreements and clauses. Users can leave notes for other team members and assign risk levels to particular clauses, flagging and prioritizing contracts for revision.

On top of that, Evisort’s powerful search, convenient dashboards, and customizable alerts can make it easier to track and enforce your organization’s regulatory compliance on an ongoing basis after all parties have signed the newly drafted or revised agreements.

Want to see how Evisort’s AI can help you bolster your compliance initiatives with contract intelligence? Schedule a demo today!

On June 4, 2021, after much anticipation, the European Commission issued a new set of Standard Contractual Clauses (SCCs) for the international transfer of customer data. These clauses are part of an ongoing effort to safeguard the personal data of European Union citizens as the data privacy environment continues to rapidly change. To comply with the EU’s General Data Protection Regulation (GDPR), any businesses transferring EU customers’ personal data outside of the European Economic Area must use the new SCCs for all new data transfer agreements.

 

The next deadline is now approaching rapidly. By December 27, 2022, all contracts using the old SCCs must be updated to comply with the new standards.

 

Five steps to comply with the new SCCs

Penalties for non-compliance are steep and costly.

 

Fines for violations of the GDPR can cost companies tens of millions in revenue and result in a loss of consumer trust and loyalty — a fear that keeps many compliance officers and lawyers up at night.

 

Here are five key steps to take while preparing for the December deadline, as discussed in the Evisort webinar on the Impact of the Updated Standard Contractual Clauses on Contracts with data privacy expert Debbie Reynolds:

 

1. Audit and update your contracts. Compliance and legal teams should all know by now that they need to update all contracts based on the old SCCs by this December. In order to meet the deadline, however, your team first needs to gauge how many contracts you need to update, find out where they are housed, and identify and update any outdated clauses.

While you’re at it, you should also look for and replace any provisions that were already non-compliant with the prior SCCs. With the stakes so high, it is important to leave no stone unturned.

If you’d like more guidance on how to remediate your data transfer agreements, see our earlier blog post for additional tips on updating contracts to comply with the new SCCs.

 

2. Re-examine arrangements with third-party data processors. The first-party data holder, also known as the data owner or data controller, is the party ultimately responsible for making sure that they have customer consent to collect the data, and that data collected from consumers (known as “data subjects”) is properly stored, encrypted, and secured. Even when sharing that data with third parties, the onus is still on the data controller to ensure the data is safe. If a data breach occurs, the controller could still be held responsible.

That’s why due diligence is so important when negotiating contracts with data processors. You need to be certain that they’ll take data security as seriously as you do. Debbie Reynolds suggests asking questions such as:

  • How do you describe your data transfer processes?
  • What protections are you going to put in place to protect the data?
  • How can you prove you are “walking the talk?”

If the vendor can't comply with applicable data privacy laws, then you may need to get a new data processor.

3. Examine the protections you promise to consumers. The new SCCs demand that data be protected. There’s a limit, however, to what businesses can do to shield customer data in the face of conflicting governmental inquiries. Consider the US Patriot Act, which expands law enforcement’s surveillance and investigative powers. Make sure to outline the technical steps you and the processor will take to protect the data in the contract, and conduct a realistic assessment of the data privacy risks associated with doing business in a particular country or region.

4. Streamline contract creation and amendment. In the past, if you wanted to add new parties to a data transfer agreement, you had to create a new contract every time. However, the new SCCs, for the first time, contain a “docking clause” that expressly enables the parties to add new data importers or exporters throughout the lifecycle of the contract. Additionally, the new SCCs adopt a modular approach to cater to various transfer scenarios:

  • Controller to controller
  • Controller to processor
  • Processor to processor
  • Processor to controller

This is a big change, as the old SCCs only contemplated controller-to-controller and controller-to-processor data transfers. These updates provide long-awaited flexibility.

5. While you can’t change the SCCs, consider adding additional data protections. When issuing the new SCCs, the European Commission acknowledged that parties might need to implement supplementary measures to ensure adequate data protection. The newly issued SCCs allow parties to add other clauses or additional safeguards, as long as they do not contradict the SCCs or reduce the rights or freedoms of data subjects.

Evisort makes it easy to comply with the new SCCs

Manually scanning contracts to search for outdated data privacy language is a time-intensive, laborious process.

Evisort’s best-in-class contract AI helps legal and compliance teams streamline contract review and remediation. Evisort quickly turns large sets of documents into searchable data, giving stakeholders immediate visibility into contracts and providing answers to critical questions about what’s in the agreements.

Using Evisort, legal and business teams can easily:

Upload and fully index thousands of contracts within just hours, without IT support. Evisort easily integrates with a range of widely used business systems, enabling teams to work on their contracts without document migration or IT support. Whether you integrate with external storage, upload files directly, or both, Evisort centralizes your contracts in a single, secure, accessible repository.

Make your contract data instantly searchable. Instead of paying your paralegal(s) to spend hours pressing “Control + F” while looking for noncompliant language, use Evisort to immediately extract key data from your contracts — such as outdated data privacy clauses. You can quickly see which contracts you need to update and which contracts are expiring in the upcoming months. This efficiency helps you save both money and time on outside counsel or consultants.

Automate the creation of contracts that are compliant with new regulations. After answering a few questions about your data privacy agreements, such as the relationship between the parties and the governing law for each contract, you can use Evisort to create uniform contract and clause templates. This saves companies the time and headache of manually drafting every new contract from scratch, or painstakingly updating one clause at a time throughout a large portfolio of contracts.

Enforce consistent contracting processes. Evisort helps you manage the approval workflow and assign team members to review specific agreements and clauses. Users can leave notes for other team members and assign risk levels to particular clauses, flagging and prioritizing contracts for revision.

On top of that, Evisort’s powerful search, convenient dashboards, and customizable alerts can make it easier to track and enforce your organization’s regulatory compliance on an ongoing basis after all parties have signed the newly drafted or revised agreements.

Want to see how Evisort’s AI can help you bolster your compliance initiatives with contract intelligence? Schedule a demo today!