May 25, 2021
Written by
Gary LaFever
Schrems II Threats to “Data Supply Chains” Present an Immediate Risk to Your Business Continuity LinkedIn Logo

Schrems II Threats to “Data Supply Chains” Present an Immediate Risk to Your Business Continuity

Hundreds of registrants to the upcoming Final EDPB Guidance Schrems II Cross-Border Data Flows webinar have acknowledged that they are already facing business continuity risks and risks to data supply chains as a result of Schrems II. 

Uninterrupted access to data supply chains is crucial for business operations and continuity, and disruptions can cause major financial and also reputational losses. The ruling in Schrems II is clear that technical supplementary measures are required to protect data when transferred, shared, and processed by non-EU owned companies (regardless of where they are located) when there is any risk of surveillance. When a down-stream partner does not have these technical measures in place, upstream data supply chain providers are threatening to discontinue data flows rather than risk damage to their own business operations (1). Data is an incredibly valuable resource for company performance and innovation, and without data flowing freely critical opportunities for growth and revenue may be lost.

With hundreds of Schrems II webinar registrants already noting this issue as a top concern, these problems are coming to the forefront of business consciousness. Given the interconnected nature of data supply chains, once one company or organisation is affected or begins to establish Schrems II compliance measures, other companies must follow suit. Having a solution in place can help to ensure that business opportunities are not lost.

Critically, it should be noted that to prevent supply chain disruptions and to adequately comply with Schrems II, technical supplementary measures are required (not just contractual protections or organisational policies or procedures).

In addition, the need for technical supplementary measures applies immediately to existing SCCs as well as new SCCs when they are finalised. This means that many organisations are already non-compliant, and must quickly take steps to get into line. Others who are not as fast and find themselves without sufficient measures in place can be left out of the data supply chain completely. 

Without immediate access to Schrems II compliant technical controls, you face serious risk of interruption to critical data supply chain relationships.

Based on our experience helping clients solve threats to their data supply chains, we developed the following infographic illustrating how to put technical supplementary measures in place to prevent Schrems II data supply chain disruptions by providing your partners with the assurances they need.

How to Survive and Thrive Under Schrems II Using GDPR-Compliant Pseudonymisation Anonos Lawful Borderless Data = Maximum Data Protection and Value Maximisation

Download this Infographic in PDF at

Anonos Data Embassy Quick Start Software enables companies to reach a sufficient level of compliance within 48 hours of first contacting us. By beginning to implement Anonos software and supplementary technical measures, you can reassure your partners and customers that your organisation has taken the necessary first steps. This can prevent serious potential losses from data supply chain interruptions.

>>If you have any questions, contact me via LinkedIn.

If you have not yet registered for the Final EDPB Schrems II Guidance Webinar, visit:

Upcoming Webinar on Technical Supplementary Measures: Unpask the Final EDPB Schrems II Guidance

(1) Business continuity risks arising from the inability to process data are more significant than the monetary risk from penalties or non-monetary risks from damaged reputation from privacy or security breaches. In the Schrems II ruling, the Court of Justice of the European Union notes five times the preference for injunctive relief for failing to comply with international data transfer requirements (see paragraphs 121, 135, 146, 154, and 203(3) of the ruling). See also the National Law Review article discussing a 12-hour notice to terminate processing sent by the Portuguese data protection authority to a Portuguese agency relying on SCCs. See also PwC article highlighting that 52% of Fortune 500 companies now include privacy risk disclosures in their annual reports due to auditing considerations regarding an entity’s ability to continue as a going concern.

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.