RiskBusiness Launches GDPR Equivalency Checker for Data Privacy

The new checker is targeted at companies that need to comply with the Schrems II personal data privacy shield legislation that comes into effect this month.

RiskBusiness Services Limited, a provider of governance, risk, audit and compliance SaaS solutions, has unveiled a GDPR Equivalency Checker feature as an integral component of its Graci governance, risk, audit and compliance solution. The new feature is targeted at companies that need to comply with the Schrems II personal data privacy shield legislation that comes into effect on 27 September 2021.

Schrems II is the popular term for a July 2020 ruling by the Court of Justice of the European Union (CJEU) related to the EU-US Data Privacy Shield Program, which presently allows companies to transfer data between the US and EU countries.

RiskBusiness explains that the ruling invalidated that accommodation due to concerns around electronic surveillance conducted by US state and law enforcement agencies. Instead, the ruling requires EU companies, from 27 September, to conduct individual assessments of each data transfer to non-EU countries in order to comply with the General Data Protection Regulation (GDPR).

Mike Finlay, RiskBusiness’ Chief Executive Officer, comments: “Schrems II creates two distinctly different compliance obligations. Firstly, the need to ensure adequacy or equivalency and to take proactive action where additional safeguards are required, and secondly, maintaining an ongoing audit trail that appropriate checks were completed in advance of transferring EU citizens data.”

RiskBusiness’ new GDPR Equivalency Checker facility within Graci automates the compliance assessment process, providing a method to determine whether equivalency or adequacy exists for a specific jurisdiction, then to manage checks of required measures for those jurisdictions not deemed equivalent or adequate, resulting in a list of required measures to be implemented to ensure compliance. Each check performed is recorded in a timestamped audit trail to ensure visibility into the outcome of individual measures.

As an example of how the GDPR Equivalency Checker works, RiskBusiness considers a case where an EU bank needs to send beneficiary data with a payment to another country. If the destination country is another EU country, equivalency exists and no further action is required. If the destination country is the UK, the EU has deemed the UK as adequate and again no further checks are required. If the destination is, say, Botswana, it is neither equivalent nor adequate and the source bank will be required to identify and implement additional measures to safeguard any EU citizen’s data accompanying the payment, retaining evidence of what checks were made and what safeguards were implemented.

Graci by RiskBusiness is a modular solution and is used by over 200 firms globally. Graci – which means ‘thanks’ in Esperanto – is available with integrated risk content, including classification taxonomy hierarchies, libraries of key risk and control indicators, scenarios and regulations and with continuously-updated breaking news or public loss data.

Using a “unique” data separation and encryption technique, coupled to information security and information technology sound practices, the company says Graci utilises multiple levels of access controls to ensure only a firm’s staff can access the firm’s data and can only access that data which is pertinent to their role. Graci uses Microsoft Azure data centres.

RiskBusiness was founded in 2003 and today has principal locations in Birmingham, London, Buenos Aires, Amsterdam, Hong Kong, New York, Singapore, Toronto and Zürich.

Case studies on its website include NDB, a Sri Lankan-based bank; and Novia Financial, a wealth management service.

Questions Around GDPR Compliance

In an analysis piece this month at eWeek UK, Theis Nilsson, vice president of customer success and innovation at Omada, discusses how achieving GDPR compliance is possible.

Nilsson notes that GDPR was designed to significantly change how businesses handle customers’ personal data, though that hasn’t become a full reality. Compliance has certainly not been absolute, and as the increasing fines reveal, some organisations are struggling. But achieving GDPR compliance is possible, and a modern identity governance strategy can help tremendously.

Also this month, although not in the UK, WhatsApp was fined €225 million (£193 million) by Ireland’s data watchdog for breaching privacy regulations.

This is the largest fine ever from the Irish Data Protection Commission, and the second-highest under EU GDPR rules. The fine relates to an investigation which started in 2018, about whether Facebook-owned WhatsApp had been sufficiently transparent about how it deals with information.

WhatsApp says it plans to appeal.

Antony Peyton
Antony Peyton
Antony Peyton is the Editor of eWeek UK. He has 18 years' journalism and writing experience. His career has taken him to China, Japan and the UK - covering tech, fintech and business. Follow on Twitter @TonyFintech.
Get the Free Newsletter
Subscribe to Techrepublic UK for weekly updates from Techrepublic and eWEEK on the latest in UK top tech news, trends & analysis
This email address is invalid.
Get the Free Newsletter
Subscribe to Techrepublic UK for weekly updates from Techrepublic and eWEEK on the latest in UK top tech news, trends & analysis
This email address is invalid.

Popular Articles