June 29, 2021
Written by
Gary LaFever
Top 10 Immediate Requirements for Surviving and Thriving Under Schrems II LinkedIn Logo

Top 10 Immediate Requirements for Surviving and Thriving Under Schrems II

Anonos' webinar with 3200+ from 2300+ companies and 50+ countries inspired an updated Snakes and Ladders game highlighting the benefits of "moving forward" versus "backwards" with the Top 10 Immediate Requirements for Surviving and Thriving under Schrems II.

The Top 10 Immediate Requirements for establishing a defensible position and avoiding unnecessary disruptions to your data supply chain, as discussed at last week’s Schrems II: Surviving and Thriving webinar, are summarised below.

Finalisation of the European Data Protection Board's (EDPB) Recommendations on Supplementary Measures[1] ("Final EDPB Guidance" ) and the European Commission's (EC) updated Standard Contractual Clauses[2] (“Final SCCs”) for complying with Schrems II[3] requirements present new requirements that challenge long-established business practices.[4]

Anonos developed a Schrems II version of the classic Snakes and Ladders[5] game to highlight the benefits of "moving "forward" versus "backwards" using these Top 10 Immediate Requirements for Surviving and Thriving under Schrems II.

The Snakes and Ladders game is a worldwide classic. The game’s object is to navigate a game piece from the bottom "start square" to the top "finish square" by climbing ladders while being hindered by falling down snakes. The game symbolises life's journey, with each player represented by a different token. Rolling a single dice determines the random number of moves that each player takes. The traditional version helps teach morality, with each player's progression on the board representing life's journey complicated by virtues (ladders) and vices (snakes).

Anonos[6] created this Schrems II Snakes and Ladders game to illustrate how you can "move forward" with your data innovation goals by protecting data when in use leveraging GDPR-compliant Pseudonymisation as a Schrems II-compliant Technical Supplementary Measure. In the Schrems II game, the ladders represent positive aspects of the Schrems II ruling, such as improved data protection, innovation, data value, and speed to insight, enabling you to move forward. In contrast, the snakes represent negative aspects of inadequate data protection: privacy breaches, negative publicity, terminated access to data, and lawsuits that set you back.

Top 10 Immediate Requirements for Surviving and Thriving Under Schrems II

Download our Schrems II Snakes and Ladders Game

There is no skill required to play the Schrems II Snakes and Ladders game – only the throw of the dice. However, learning how to Survive and Thrive under Schrems II requires knowledge of the following Top 10 Immediate Requirements:

1.Updating SCCs without new technical controls is not enough. Protection for EU personal data must travel with the data wherever it goes immediately.[7]

2. Technical Supplementary Measures are required to prevent the identification of data subjects directly or indirectly using other available data sources.[8]

3. Encryption does NOT travel with the data WHEN IN USE because it must be decrypted to enable use.[9]

4. Encryption is not adequate for data transferred to US importers subject to FISA because of obligations to grant access to personal data in their possession, including cryptographic keys to render the data intelligible.[10]

5. Encryption must be state-of-the-art and effective against cryptanalysis capabilities of public authorities in the recipient country, taking account of their resources and technical capabilities, including computing power for brute-force attacks.[11]

6. The EDPB recommends GDPR-compliant Pseudonymisation to protect data WHEN IN USE.[12]

7. GDPR-compliant Pseudonymisation enables greater lawful data use[13] by helping to:

  • Support Lawful Data Repurposing, Sharing and Combining
  • Overcome Prohibitions Against Special Category Processing
  • Separate Processing Benefits from Re-Identification Obligations
  • Maximise the Availability of Lawful Profiling and Digital Marketing
  • Satisfy Data Protection by Design and by Default Obligations
  • Reduce the Risk of Data Breach Liability Obligations and Liability
  • Improve Scalability of Data Protection Impact Assessments
  • Enable Benefits of Expanded Lawful Processing

8. Localisation of processing will not solve the issue. Schrems II controls are required even if the processing is localised solely in the EEA or adequacy decision countries if necessary to satisfy GDPR Article 25 Data Protection by Design and by Default and Article 32 Security requirements, both of which specifically highlight GDPR Pseudonymisation.[14]

9. All parties in a data supply chain are jointly and severally liable to data subjects, each of whom can seek redress in EU courts.[15]

10. If downstream data supply chain parties do not have adequate technical supplementary measures like GDPR-compliant Pseudonymisation, upstream data providers will discontinue data flow rather than risking damage to their own business. Data is a precious resource for company performance and innovation, and without data flowing freely, critical opportunities for growth and revenue is lost.[16]

We have chosen to whimsically apply a children's game concept to the very serious business of Schrems II compliance to help visualize how to navigate the intricacies of the ruling. However, Anonos does not take the effect of Schrems II on your business lightly.

Anonos has spent 8 years developing state-of-the-art software and received 12 granted international patents on achieving the impossible: balancing the highest level of data protection with 100% data utility. What is most unique about Anonos technology is that it is the only solution that enables data protection to travel with the data wherever it goes.

In response to client requests, we have packaged our Data Embassy Quick Start program to allow you to achieve an immediate defensible position under Schrems II. We recognize that companies need time to educate their teams and develop a game plan for the future, but they almost must take steps immediately to become compliant. Anonos Quick Start allows you to do exactly that. We welcome you to explore our technology and learn about our guarantee that we are the state-of-the-art compliant solution.


We provide a comparison matrix enabling you to compare Anonos Data Embassy software to other solutions at ENISA Guidelines. Time is of the essence to avoid disruptions to your data supply chain. Our Quick Start program provides the opportunity for you to start using Anonos software while you complete your comparison.


We guarantee that Anonos software is the only available Schrems II compliant Pseudonymisation solution, or we will refund your money.


Anonos Data Embassy Quick Start software enables companies to reach a sufficient level of compliance within 48 hours of first contacting us. By beginning to implement Anonos software and supplementary technical measures, you can reassure your partners and customers that your organisation has taken the necessary first steps. To learn more about Data Embassy, go to

>>If you have any questions, please contact me via LinkedIn.


[1] See

[2] See

[3] Schrems II" refers to the Judgement of the Court of Justice of 16 July 2020, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, C-311/18 at

[4] The supervisory authority for the German state of Bavaria stated in its Press Release announcing coordinated audits by German regulators of data transfers that “In many cases, the ECJ ruling requires a fundamental change in long-practiced business models and processes.”

[5] The game is also known by other names, such as "Moksha Patam" in India and "Chutes and Ladders" in the United States. See

[6] Anonos' state-of-the-art patented Data Embassy technology makes the impossible possible: It uniquely reconciles conflicts between maximising (i) data use, sharing and combining and (ii) data protection and privacy. Whether for AI or ML models or improving your data analytics solutions, you extract the most value from personal data with dynamic use cases. Why settle for outdated techniques protecting only static uses that deliver little value? Let Anonos prove how our Data Embassy software can solve your most complex legal and data challenges to maximise data value without compromising accuracy or legal requirements. Learn more at

[7] See EDPB Final Guidance on page 2, Executive Summary, and Paragraphs 9 and 34.

[8] Id, at Paragraphs 53 and 79.

[9] Id, at Paragraphs 84 and 90.

[10] Id, at Paragraphs 80 and 81.

[11] Id, at Paragraph 84.

[12] Id, at Paragraph 85.

[13] See

[14] Supra, Note vii at Paragraph 83. Pseudonymisation is referenced 15 times in the GDPR compared to encryption which is referenced only 3 times and anonymisation which is referenced only 2 times in the GDPR.

[15] See Final SCCs at Clauses 3 and 12.

[16] Business continuity risks arising from the inability to process data are more significant than the monetary risk from damages or penalties or non-monetary risks from damaged reputation from breaches. See PwC article highlighting that 52% of Fortune 500 companies now include privacy risk disclosures in their annual reports due to auditing considerations regarding an entity’s ability to continue as a going concern.

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.