We have been following closely the developments arising from Court of Justice of the European Union’s judgment issued last week in the Schrems II case. The judgment declared that the EU-US Privacy Shield is invalid. It also emphasises the need for robust due diligence where organisations are relying upon the European Commission’s Standard Contractual Clauses (SCCs) to enable international data transfers to countries outside the UK and EU, including America.
We will review any more substantive guidance from the ICO as it emerges and will consider the impact of that guidance on our international data transfers when it is published. In the meantime, we [The Police ICT Company & NEP] are reviewing all of our contracts to identify where the Privacy Shield and the SCCs are currently being used, and would advise forces to undertake a similar review in respect of their own contracts. We are also preparing a strategic supplier engagement plan, so that we can work with our suppliers to respond to the judgment and the guidance which follows in due course.
We will provide a further update once additional guidance is issued.