RiskBusiness Services Limited, the leading provider of governance, risk, audit and compliance SaaS (Software-as-a-Service) solutions announced today the availability of a GDPR Equivalency Checker feature as an integral component of its Graci governance, risk, audit and compliance solution. The new feature is targeted at companies that need to comply with the “Schrems II” personal data privacy shield legislation that comes into effect on September 27, 2021.
Schrems II is the popular term for a July 2020 ruling by the Court of Justice of the European Union (CJEU) related to the EU-US Data Privacy Shield Program, which presently allows companies to transfer data between the US and EU countries. The ruling invalidated that accommodation due to concerns around electronic surveillance conducted by US state and law enforcement agencies. Instead, the ruling requires EU companies, from September 27, 2021, to conduct individual assessments of each data transfer to non-EU countries in order to comply with the General Data Protection Regulation (GDPR). The administrative and operational burden of compliance is likely to be considerable and may lead to companies ceasing to transact business outside of the EU.
The new GDPR Equivalency Checker facility within Graci automates the compliance assessment process, providing a straightforward method to determine whether equivalency or adequacy exists for a specific jurisdiction, then to manage comprehensive and detailed checks of required measures for those jurisdictions not deemed equivalent or adequate, resulting in a list of required measures to be implemented to ensure compliance. Each check performed is recorded in a timestamped audit trail to ensure visibility into the outcome of individual measures.
As an example of how the GDPR Equivalency Checker works, consider a case where an EU bank needs to send beneficiary data with a payment to another country. If the destination country is another EU country, equivalency exists and no further action is required. If the destination country is the UK, the EU has deemed the UK as adequate and again no further checks are required. If the destination is, say, Botswana, it is neither equivalent nor adequate and the source bank will be required to identify and implement additional measures to safeguard any EU citizen’s data accompanying the payment, retaining evidence of what checks were made and what safeguards were implemented.
Graci’s flexible technology architecture, along with its ability to support a standard questionnaire capability to deliver requirement checks, allowed RiskBusiness to add the GDPR Equivalency Checker functionality in an expeditious way.
Mike Finlay, RiskBusiness’ Chief Executive Officer, welcomed the addition of the GDPR Equivalency Checker into Graci, saying “The cost of compliance continues to grow, with increasing compliance obligations requiring attention from not just the compliance function, but also from legal, data privacy, risk and information technology groups as well.” He adds “Schrems II creates two distinctly different compliance obligations. Firstly, the need to ensure adequacy or equivalency and to take proactive action where additional safeguards are required, and secondly, maintaining an ongoing audit trail that appropriate checks were completed in advance of transferring EU citizens data. The GDPR Equivalency Checker supports both in a fully automated manner”.
Graci by RiskBusiness is a comprehensive flexible modular solution to the modern governance, risk, audit and compliance (GRAC) requirements of small, medium, large and global conglomerate firms alike. Designed by industry practitioners for use by fellow practitioners, components of Graci are already used by over 200 firms globally.
Graci is available with fully-integrated risk content, including numerous classification taxonomy hierarchies, libraries of key risk and control indicators, scenarios and regulations and with continuously-updated breaking news or public loss data.
Using a unique data separation and encryption technique, coupled to information security and information technology sound practices, Graci utilises multiple levels of access controls to ensure only your staff can access your data and can only access that data which is pertinent to their role.
Delivered as a Software-as-a-Service (SaaS) solution, you need not fear where your data may be, as rather than your data residing somewhere “in the Cloud”, Graci utilises known, identified and secure Microsoft Azure Data Centres, so that you know exactly where your data is.
