Transfer Impact Assessment

The AI Privacy  Consulting Transfer Impact Assessment (TIA) clarifies an organisation’s exposure to risks linked to transferring personal data of EU residents to countries without an existing EU data protection adequacy agreement.

​

A Transfer Impact Assessment (aka a Transfer Risk Assessment) is required to comply with the Schrems II ruling and supports planning for any required change.

Transfer Impact Assessments are mandated in both the European Data Protection Board (EDPB) guidance on Supplementary Measures and the updated draft of the Standard Contractual Clauses (SCCs)

Each individual assessment is relatively quick to do, clarifies required next steps, and enables our clients to demonstrate GDPR accountability to both internal stakeholders and customers. It also provides clarity about scope to illustrate effort required and prioritise work.

The output of the assessment provides clients with an understanding of the steps required and the means to plan changes to mitigate or minimise highlighted risks.

We work with organisations on developing an action plan to manage the implementation of the given recommendations. Our experienced consultants will also help clients establish and document the tailored Data Transfer Impact Assessment process for their organisation to use internally.

AI Privacy Consulting can help by:

​

• Identifying and assessing compliance of in-scope transfers of EU residents’ data with the Schrems II ruling and relevant requirements in the EU and UK GDPR

• Enable prioritisation and planning to remediate any non-compliance

• Enable clients to respond to customer enquiries about EU data transfer compliance after Schrems II ruling

• Advice on supplementary measures to introduce for particular types of transfers

This service can be carried out remotely.

​

On July 16, 2020, the European Court of Justice (CJEU) invalidated the EU-U.S. Privacy Shield in a case popularly known as the Schrems II ruling. Following this decision, standard contractual clauses (SCCs) became the most common mechanism to facilitate data transfers to third countries (i.e., countries outside the European Economic Area).

The CJEU, however, stated that before organizations can use SCCs or alternative mechanisms, they must assess (on a case-by-case basis) the risks involved in transferring personal data outside the EEA.

Not surprisingly, the United Kingdom adopted a similar approach to facilitate international data transfers from within the UK to third countries.

These occurrences marked the origin of the Transfer Impact Assessment (TIA) and Transfer Risk Assessment (TRA).

​

1. Transfer Impact Assessment (TIA):

​

Before using SCCs or alternative tools, organizations must now assess the risks involved in data transfers to third countries that are not covered by the EU adequacy decision (i.e., countries considered not to have an adequate level of data protection by the European Commission).

​

Supporting this stipulation, the EDPB released its recommendations on measures to supplement transfer tools, which also requires a TIA to be conducted and documented before international data transfers.

Importantly, data exporters must consider whether the laws and practices in third countries may impede the effectiveness of the safeguards provided by the transfer tools under Article 46 of the GDPR.

​

Lastly, in light of Schrems II, the European Commission repealed the old SCCs and published an updated version on June 4, 2021. Under clause 14, the new SCCs require the parties to conduct a TIA before transferring data to third countries without an adequacy decision.

​

2. Transfer Risk Assessment (TRA):

​

After the Schrems II ruling and the release of the new EU SCCs, the UK government published the UK International Data Transfer Agreement (IDTA) and the UK addendum to the EU SCCs.

These are essentially the UK's versions of the EU SCCs, and organizations are free to decide which version they wish to implement.

In any case, UK data exporters must now conduct a TRA before implementing any of the UK SCCs to facilitate data transfers to third countries (much like in the EU).

​

Given the complexity involved, we recommend seeking legal or professional help to navigate your TIA and TRA obligations properly.