1. Risk of Business Disruption And Losses
The penalty for non-compliance with Schrems II is immediate termination of access to data, not fines
- Disruption to operations from terminated access to data can exceed any fine in its negative impact on business, revenue, and stock value.
- The burden of proof for compliance is on an organisation in order to regain access and use their data.
2. Risk of Board / Executive Team Liability
Failure to take action to remedy Schrems II non-compliance over the 10+ months since the CJEU ruling can expose Boards of Directors / Executives to personal and criminal exposure.
- “Wait and see” strategies increase the risk for potential claims of breach of fiduciary duties.
- Potential options / actions should be evaluated and well documented in corporate resolutions and Data Protection Impact Assessments (DPIAs).