With the exponential rise in global trade over the last 50 years, the need to transfer personal data across borders has exploded — as has the need to protect that information. Whether it’s sharing employee information between subsidiaries or transferring customer data to third-party service providers, organisations that operate internationally must ensure that data transfers comply with applicable data protection regulations. But how can we identify and address risks to personal data during transfer?
A Transfer Impact Assessment (TIA) is a critical process required for ensuring that cross-border personal data transfers comply with the GDPR, particularly after the 2020 Schrems II ruling. It assesses the risks associated with transferring data to third countries and mandates implementing safeguards to protect data subjects from potential threats posed by the legal environment in those countries.
Schrems II – The origin of the Transfer Impact Assessment
The concept of the Transfer Impact Assessment (TIA) gained significant importance after the invalidation of the EU-U.S. Privacy Shield framework by the Court of Justice of the European Union (CJEU) in July 2020, in a case known as Schrems II. The ruling declared that U.S. data protection laws did not provide an adequate level of protection to personal data transferred from the European Union to the U.S. under the Privacy Shield.
The Schrems II decision prompted companies to evaluate the adequacy of the protection provided by third countries’ legal frameworks when transferring personal data. This evaluation is necessary to ensure that the level of protection for personal data is “essentially equivalent” to that guaranteed by the General Data Protection Regulation (GDPR) in the European Union.
While Standard Contractual Clauses (SCCs) remained a valid transfer mechanism for international personal data transfers outside the EU, after Schrems II, the European Data Protection Board (EDPB) issued guidelines requiring companies to perform Transfer Impact Assessments to assess whether the legal environment of the third country to which data is being transferred ensures adequate protection for the personal data.
To learn more about data transfers according to the GDPR, read this article: 3 steps for data transfers according to GDPR.
What is a Transfer Impact Assessment?
A Transfer Impact Assessment (TIA) is a risk assessment process designed to identify risks towards data subjects when their data is exported outside the European Economic Area (EEA). Usually, these risks are related to how personal data can be processed by different authorities, public institutions, or private institutions using local legislation from the country of import that circumvents European Economic Area legal mechanisms and the GDPR.
TIA versus DPIA
A TIA can be performed as part of a Data Protection Impact Assessment (DPIA), or as an independent process. Either way, it needs to identify all risks related to how data subjects can be affected if their personal data is used beyond its initial processing purposes by the importers, or by other authorities and institutions in the country of import, and identify technical and organisational measures to address these risks.
TIA as a process
A TIA is not a one-time exercise; it should be seen as an ongoing process to check for changes related to the data processing activities, to the nature of the data being processed, and to the changes in the legislation of the countries of import. In section III of the new SCCs, published by the European Commission in 2021, the TIA is mandated as a component of the local law assessment.
The EU GDPR restricts the transfer of personal data to third countries unless adequate safeguards are in place, such as through an adequacy decision by the European Commission, SCCs, Binding Corporate Rules (BCRs), or other transfer mechanisms. The Schrems II ruling made it clear that reliance on SCCs alone is not sufficient. Organisations must evaluate whether the legal framework of the recipient country provides adequate protection. Conducting a TIA helps fulfil this requirement.
Risk assessments in a TIA
Cross-border data transfers expose organisations to various risks, such as unauthorised access to personal data by third-country governments, data breaches, or even litigation. A TIA helps identify these risks and develop appropriate mitigation strategies, such as implementing additional technical safeguards (e.g., encryption, anonymisation) or contractual measures.
In an era where personal data protection is a top concern for individuals, demonstrating that your organisation takes data protection seriously is vital. By conducting a TIA, a company can show customers and stakeholders that it is proactive in ensuring their personal data is transferred securely and with proper legal safeguards, building trust and enhancing its reputation.
How to perform a Transfer Impact Assessment
Performing a Transfer Impact Assessment involves a methodical process aimed at evaluating the risks associated with a data transfer and identifying ways to mitigate them. Here is a step-by-step guide on how companies should perform a TIA:
1. Exporter and importer identification
In this phase, it is necessary to clearly identify the data controller or the data processor that is exporting the data outside of the EEA, the data controller or the data processor that is importing the data, and the country of the data importer.
2. Timeline of the processing
Personal data processing can be continuous, sporadic, or it might be done only one time. It is important to detail the timeline of the processing, i.e., the start date, provisioned end date, and the expected retention period for the exported personal data.
3. Personal data inventory
Before conducting a TIA, companies must first identify the specific personal data that will be transferred. This includes understanding the nature of the data (e.g., customer data, employee data, partner data), the data subjects involved, and the sensitivity of the data (e.g., health data, financial data). This step also involves detailing the steps of the processing operations, from collection to destruction of personal data, including the departments responsible for each step of the processing operations, the assets where data is processed or stored, and any third parties such as data controllers, data processors, or joint data controllers.
4. Purpose and nature of transfers
A personal data transfer is considered to be the processing of personal data, according to GDPR Article 4 – Definitions. Therefore, it must have a purpose and a legal ground for processing. In this step, companies need to provide additional details including the categories of data subjects; categories of personal data that are being processed; sources of personal data and how the data is collected, stored, and deleted; number of data subjects involved in the processing; geographical extent of the processing; and the volume of data items being processed.
5. Transfer description
According to the EDPB’s Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, three cumulative criteria need to be met in order for a personal data transfer to qualify as an international personal data transfer:
- The controller or processor (“exporter”) is subject to the GDPR for the given processing.
- The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller, or processor (“importer”).
- The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.
As a consequence, companies need to detail all the steps, including technical steps, of how the personal data transfer occurs between the exporter and the importer.
6. Risk identification and prioritisation
Next, companies must identify and evaluate the potential risks to the personal data in light of the legal environment of the third country. These risks might include government surveillance, insufficient legal recourse for data subjects, or inadequate protection against data breaches.
The core of the TIA lies in evaluating whether the legal environment of the third country where the data is being transferred provides adequate protection for the personal data. This involves examining local laws, especially around government access to data, surveillance practices, and how well the third country’s legal system aligns with the GDPR’s principles of data protection.
Exporters must determine whether there are any laws in the third country that could undermine the effectiveness of the chosen transfer mechanism (e.g., SCCs). For example, if the laws in the third country allow broad access to personal data by public authorities without adequate oversight, this may present a risk.
Organisations must also consider the likelihood of these risks materialising, and the potential harm to the data subjects involved, and prioritise them accordingly.
7. Addressing risks
If the assessment finds that the legal environment of the third country poses risks to the protection of personal data, the organisation must implement supplementary measures to mitigate those risks. The European Data Protection Board has provided guidance on the types of supplementary measures that companies can implement, which may include technical measures like implementing end-to-end encryption to ensure that only authorised recipients can access the data; contractual measures, such as adding specific contractual obligations on the recipient in the third country to ensure that it will resist unlawful access requests from public authorities; or organisational measures like implementing additional internal policies and procedures to safeguard the data.
8. Documenting the TIA
In the end, based on the risk management action plan, the exporter must decide whether the transfer is permitted or prohibited, and document the decision. As part of the documentation, it is necessary to collect feedback from data subjects that are part of the data subject category whose data is being transferred and list their concerns, as well as how they are addressed by the risk management action plan.
9. Monitoring the TIA
As mentioned at the beginning of this article, a TIA is not a one-time exercise, so it must be monitored continuously for changes in the local legislation of the country of the importer in order to ensure the protection of exported personal data, but also for changes in the transfer of the personal data itself. If new risks arise, they need to be re-evaluated and addressed with technical, contractual, and organisational measures.
Tips for a successful Transfer Impact Assessment
A TIA should not be performed in isolation by the Data Protection Officer or by the legal team, as it requires input from various stakeholders, including IT, security, and business units, to ensure a holistic approach. Engaging all relevant teams early in the process ensures that all aspects of the data transfer are considered.
Also, in many cases, organisations may not have the internal expertise to fully assess the legal landscape of third countries. Engaging external legal or privacy experts can provide valuable insights and help ensure that the TIA is thorough and compliant with regulatory expectations.
One way to reduce the risks associated with data transfers is to minimise the amount of personal data being transferred in the first place. Organisations should consider whether the data transfer is necessary and if the data can be pseudonymised or anonymised before transfer.
Take into consideration that organisations should inform data subjects about the data transfer and the safeguards in place to protect their personal data. Transparency helps build trust and can mitigate the concerns of data subjects.
Importance of the Transfer Impact Assessment
In a world where data flows across borders more than ever before, the importance of Transfer Impact Assessments cannot be overstated. As regulatory scrutiny over personal data transfers continues to increase, companies must adopt a proactive approach to assessing the risks associated with international personal data transfers and implementing appropriate safeguards. By following the outlined steps and best practices, organisations can ensure that their data transfers comply with regulatory requirements, mitigate risks, and build trust with their customers and stakeholders.
Stay compliant with regulations and protect personal information effectively using our EU GDPR Premium Documentation Toolkit.