Customer DPAs and the overuse of SCCs – fixing data transfer friction

Why do so many organisations still create unnecessary complexity around customer DPAs and international data transfers?

In this episode of Practical Privacy, Orla Dormer speaks with Roy Kamp about one of the most common — and frustrating — operational challenges in privacy: the overuse and misuse of Standard Contractual Clauses (SCCs) in customer contracting processes.

For many organisations, privacy negotiations have become increasingly slow, repetitive, and disconnected from actual risk. Teams often default to adding SCCs automatically, even when they are not legally required, creating unnecessary friction for legal, procurement, sales, and privacy teams alike.

Roy shares practical insights into why this happens, how organisations unintentionally overcomplicate data transfer assessments, and what businesses can do to simplify their approach while remaining compliant.

🎥 Watch the full episode

🎧 Listen on your preferred platform
Listen on Spotify
Listen on Apple Podcasts

What we cover in this episode

Rather than treating SCCs as a default contractual add-on, Roy explains why organisations need a more operationally mature understanding of international data transfers. He discusses:

• Why SCCs are frequently overused in customer agreements
• The operational consequences of unnecessary privacy negotiations
• Common misunderstandings around processor and controller relationships
• How legal teams create friction by applying overly cautious templates
• The importance of understanding actual data transfer risk
• Why scalable contracting processes matter for growing organisations

A major theme throughout the conversation is that privacy operations should reduce complexity — not create it. Many privacy bottlenecks emerge not from regulation itself, but from inefficient internal processes and risk assumptions.

Key lessons from this episode

• SCCs should not be used automatically in every agreement
• Understanding the data flow matters more than following templates blindly
• Over-engineered privacy processes create unnecessary business friction
• Legal precision must be balanced with operational scalability
• Privacy teams should focus on practical risk management
• Simplification is often a sign of maturity, not reduced compliance

This episode is a practical discussion about improving privacy operations, streamlining customer negotiations, and building more efficient approaches to international data transfer compliance.

Follow the series

If you want more real-world conversations about privacy operations, AI governance, and scaling compliance without unnecessary complexity:

• Follow Orla Dormer on LinkedIn for updates on new episodes
• Subscribe to our YouTube channel.
• Follow the podcast on Spotify or Apple Podcasts

New episodes are released regularly as part of the Practical Privacy series.

‍

🟡 If the challenges discussed in this episode resonate, you don’t have to solve them alone. Book a demo to see how organisations like Randstad and other global companies operationalise privacy and AI governance in practice, reducing complexity while aligning compliance with how their business actually works. 👉 Book your demo here