How to Lawfully Comply with Schrems II for International Data Transfer

Gary LaFever Gary LaFever (Anonos)
[00:03] Hi. My name is Gary LaFever and I'm here to discuss how GDPR Pseudonymisation can be used as a Schrems II compliant supplemental measure for SCCs and BCRs.

[00:17] Here are the key takeaways. There are three. The first one: The GDPR requires Data Protection by Design and by Default for all Processing. And what that means is that whenever possible processing must be done using de-identified data.

[00:34] Point two: GDPR Pseudonymisation is defined to satisfy Data Protection by Design and by Default and what's important is that applies to processing both inside and outside of the EU, as well as inside and outside of protected perimeters.

[00:52] Point Three: One and two together mean that Properly Implemented GDPR Pseudonymisation Satisfies Schrems II Requirements, so you can continue to use SCCs and BCRs for lawful data transfers, which includes outsourcing, Software as a Service, and cloud processing.

[01:13] So, let's look at Data Protection by Design and by Default. It's not optional. It's mandatory for both primary and secondary processing. You shall do it by default by default.

[01:26] And what does it require? It requires that personal data not be made accessible without the permission of the data subject. And so, the reality is, you can separate the information value from the identifying data or what we call here the Who and the What Data.

[01:44] So, how does Pseudonymisation fit in? Well, the very definition of Pseudonymisation is defined to support Data Protection by Design and by Default. By saying that in order to be compliant GDPR Pseudonymisation, it must be such that no one can re-link the Who Data to the What Data, but for access to additional data that is kept separately by the data controller.

[02:10] In the context of Schrems II, by that we mean the EU exporter. So, the reality is, the data that's provided for outsourcing, for SaaS processing, for cloud processing has information value and can be processed, but even if captured and surveilled will not reveal the identity of data subjects.

[02:33] This demarcation and separation between who and what is what got Anonos recognized as a Gartner Cool Vendor because our Variant Twins, which is what we call the output of our patented Pseudonymisation system, in fact, satisfy the requirements for GDPR pseudonymised data.

[02:54] The great thing about this is Variant Twins, the output of Anonos technology, satisfy all but the Edge processing. So, you'll see here that Variant Twins can be created to support both primary and secondary processing. And they when compared with clear text unprotected data will deliver the same accuracy and the same utility as that unprotected data. So, without any loss of value, you still get the benefit of the information value while protecting and enforcing and maintaining the fundamental rights of the data subjects.

[03:27] So, what does our technology not support? Well, it's the Edge Cases. If you can't process data using de-identified data, then that data should be processed in-country. Or for consent based processing where you don't need these protections. But for everything else, Anonos technology and our Variant Twins enable you to satisfy the Schrems II requirements. And just as importantly, your business objectives.

[03:54] That's why we've coined the term Data Liquidity so that you get universal data protection - the GDPR, data sovereignty laws, Schrems II, vertical industry laws, other geographic restrictions and laws around the world - all with the same platform. And in doing so, what you get is unrivaled data utility so your data can be used anywhere and in a way that's lawful. This has never been achieved before.

[04:21] I invite you to attend a webinar tomorrow where industry experts including Max Schrems’ own organization, NOYB, will validate these principles. So, come to to see this webinar and see these principles reinforced and validated.

[04:40] Again, one that GDPR requires Data Protection by Design and by Default for all processing and that means whenever possible the processing involves de-identified data. Two, GDPR Pseudonymisation is newly defined which requires the separation of information value from identity was literally defined to satisfy the requirements of Data Protection by Design by Default, and as a result applies to data processing both within and outside of the EU and will protect the data both within and outside of protected parameters. And the best news of all as a result, properly pseudonymised data will satisfy Schrems II requirements so that you can continue using SCCs and BCRs to achieve your business goals and objectives. Thank you.