At a glance.
- EDPB data transfer guidelines.
- Considerations of SEC disclosure regulations.
Cooley’s advice on data transfers under new EDPB guidelines.
The European Data Protection Board (EDPB) in November adopted provisional guidelines regarding international data transfers and how they will be impacted by the provisions of the General Data Protection Regulation (GDPR). Though the final guidelines have not yet been published, the experts at Cooley offer a primer on how the new rules will affect international data transfers, as well as how supplementary measures can be used to comply with Schrems II requirements. The EDPB confirms that a transfer can take place if the recipient is already subject to the GDPR, but in most cases will not be allowed if the data is collected by a non-EU organization directly from the subjects. The new rules will likely focus on any important gaps between the provisions of the GDPR and post-Schrems II transfer requirements, such as rights of redress and enforcement against the importer, obligations to resolve issues arising from conflicting local laws and practices, and obligations in cases of access to transferred data by public authorities. To better protect the data being transferred, businesses can employ technical measures like encryption or pseudonymisation, internal policies for governance of transfers, and contractual technical and transparency obligations.
Preparing for the SEC’s new risk management and reporting rules.
As we’ve previously noted, the US Securities and Exchange Commission (SEC) earlier this month proposed new rules and amendments regarding cybersecurity risk management and incident reporting. JDSupra offers an overview of how these rules, if implemented, will impact public companies, and offers recommendations for preparing for the changes. It is advised that businesses review their risk factors and update procedures to ensure that company leadership has access to this information in order to make informed and timely decisions regarding disclosure. As well, it’s recommended that companies implement continuous improvement models that will allow the organization to learn from previous incidents in order to enhance their resilience. JD Supra also provides a summary of the proposal’s key provisions, including amendments to Form 8-K that would require companies to disclose details about cybersecurity incidents within four business days of detection, including when the incident was discovered and whether it is ongoing, the nature and scope of the incident, the impact of the incident on company operations, and any remediation plans. This is a challenging task when one considers that other reporting requirements in the US typically range from thirty to sixty days. It’s worth noting that the SEC is accepting comments on the Proposed Amendments until May 8.