Companies which have relationship with Microsoft, Amazon, Facebook etc. are not compliant with Schrems II as it is obvious that these companies do not have additional safeguards needed. Small companies cannot negotiate with them to put additional safeguards in place to protect data as mandated by Schrems II. So before EDPB and EC publish new set of SCC and third country transfer guidelines, should the companies just accept the risk and wait?
I would ensure that you understand and have mapped all the data flows to these organisations (easier said than done I know). Any additional measures that you can put in place such as encryption, anonymisation, data minimisation etc. should be put in place if not already. We’re facing the same dilemma and it is frustrating that there is only so much we can do.
I would look to your own DPA for guidance on this. In the UK they have said that they are being pragmatic about it.
As Tash says the ICO currently says they’ll be pragmatic. Let’s hope in practice its true. As an SME you are right to say you have no power to negotiate with the big boys that most organisations have no option to use (the ones you mention included).
My opinion is that organisations must have a well developed RoPA that helps expose the risks of each processing activity and should then be using that understanding to drive continuous improvement in their posture. By doing this you are reducing the overall risk to the organisation. Every little bit helps 🙂