Our data protection and GDPR legal experts are able to assist you in your transfer impact assessments used for data transfers between EU and non-EU countries. This will be updated once we have further developments on the ICO consultation, which includes the transfer risk assessment tool for UK personal data transfers.
Prior to the new EU standard contractual clauses (SCCs), some could say the old SCCs were considered a tick box exercise, with little or no consideration to the spirit of the international personal data transfer mechanism. This is no longer the case, thanks to the Schrems II ruling where, amongst invalidating the Privacy Shield, it also made it clear that data exporters must conduct transfer impact assessments to verify, on a case-by-case basis, if the laws of the third country have an impact on the efficiency of the SCCs.
The new SCCs, address the concerns raised by the Court of Justice of the European Union (CJEU) in the Schrems II judgement.
What’s a transfer impact assessment?
This is a risk assessment, and can be compared to a privacy impact assessment, that is undertaken by the exporting controller, taking into consideration whether personal data will be adequately protected by SCCs in the third country and whether supplementary measures are required.
How do we conduct a TIA?
This is a subjective risk assessment and can be a challenging task to undertake. It’s important to get it right and ensure that the Europe Data Protection Boards Recommendations are taken into consideration.
The recommendations provide six steps for data exporters to follows to assess third countries and be able to identify appropriate supplementary measures. Here is a summary of the steps:
- Personal data mapping – you need to know your transfers; find out where your personal data is going and why.
- Verify the transfer mechanism such as an adequacy decision or transfer tools listed under Article 46 GDPR.
- Conduct an assessment of laws and practices of the third country that may impact the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.
- Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred (under an Article 46 tool) up to the required standard of essential equivalence.
- Take any formal procedural steps the adoption of the supplementary measure(s) may require, this is dependent on the Article 46 GDPR transfer tool that you are relying on.
- Re-evaluate, at appropriate intervals, the level of protection afforded to the personal data that’s transferred to third countries and monitor if there have been or there will be any developments that may affect it.
Once you start remediating your contracts to include the new SCCs, it may appear complex where transfer impact assessments need to be done. If you’d like help with any aspect of understanding and complying with the new SCCs and the Schrems II ruling, get in touch with our friendly and knowledgeable experts who would be happy to help.