International Data Transfer Impact Assessment Under EU GDPR & UK GDPR
Transfers of Personal Data Under EU GDPR
Articles 44 to 50 of the GDPR address the transfer of personal data to third parties or international organizations. The “Adequacy Decision” of the European Commission is the first place to look to determine the legality of an ongoing international personal data transfer.
Without an adequacy decision, the controller or processor must take steps to make up for the lack of data protection in a third country by providing the data subject with suitable protections. The adoption of binding corporate rules, standard data protection provisions issued by the Commission, standard data protection clauses adopted by a supervisory authority, or contractual clauses approved by a supervisory body are a few examples of acceptable measures.
What Is Transfer Impact Assessment – TIA?
In the field of privacy, “Transfer Impact Assessment” (TIA) is a relatively new concept. Clause 14 of the new standard contractual clauses (SCC), which were released by the European Commission in June 2021, establishes the requirement to carry out a TIA.
In personal data transfer processes, a TIA is an evaluation of the effect and security implications of a transfer to a nation outside the EEA that is not the subject of an adequacy decision by the Commission by a data controller or data processor.
A transfer impact assessment (TIA) should be carried out by organizations to evaluate:
- The availability of access requests by third-country government agencies,
- The third country’s legal system,
- The third country’s actual implementation of its legal system,
- If organizations have the ability to reject government access requests,
- If legally binding international agreements (such as Convention 108) have been signed,
- If a separate supervisory authority for privacy and data protection has been established,
- If there are legal remedies available to data subjects and the extent to which these remedies extend beyond national borders.
In personal data transfer processes, a TIA can assist organizations in determining whether the transfer tool they are relying on will be effective in the transfer’s specific circumstances but it will also highlight any additional steps that may be required to guarantee a roughly equivalent level of data protection to that found under the GDPR.
United Kingdom – UK GDPR
You must conduct a risk transfer assessment if you are depending on the Article 46 transfer mechanism. This risk assessment will assist you in determining whether the pertinent protections for individuals under the UK data protection framework will be compromised given the transfer circumstances and the implementation of your selected Article 46 transfer mechanism.
What is a Transfer Risk Assessment – TRA?
By conducting a TRA, you may be sure that the Article 46 transfer mechanism will offer the necessary protections and effective, enforceable rights for persons in the particular circumstances of your restricted transfer.
There are two main categories of risk that your TRA must take into account:
• Threats to individuals’ rights in the destination countries posed by third parties who have access to the information but are not subject to the Article 46 transfer procedure, particularly governmental and public institutions,
• Threats to people’s rights resulting from challenges enforcing the transfer process described in Article 46.
When Should You Carry out a TRA?
If you are performing a restricted personal data transfer and want to use one of the Article 46 transfer methods, including the IDTA, Addendum, or BCRs, you must perform a TRA.
You can contact us for more detailed information within the scope of our GDPR Compliance Services.