Transfer Impact Assessments (TIAs)

Last updated: 22 October 2021

Estimated reading time: 6 minutes

Member View

Our data protection and GDPR legal experts can assist you in your transfer impact assessments used for data transfers between EU and non-EU countries.  

Jump to:

  1. What are restricted Transfers
  2. What’s a TIA?
  3. How do we conduct a TIA?
  4. Who should carry out the TIA?
  5. Dealing with onward transfers
  6. What’s the UK position on restricted transfers?

What are restricted Transfers

Restricted transfers are where UK (or EU) personal data is being transferred to third countries, where transfers would be prohibited by Data Protection Laws without a legal basis under Chapter V of the GDPR. To identify a restricted transfer, you need to consider:

  • Is there any personal data involved? This may seem like an obvious question, but it’s important to be able to differentiate from personal data and just data.
  • Where’s it going?
  • Does the Importing country have adequate Data Protection Laws in place? Have you considered:
    • Whether the transfer is based on an adequacy decision.
    • Whether the transfer is subject to appropriate safeguards (Article 46 tools), such as binding corporate rules or standard contractual clauses (SCCs).
    • Whether the transfer is authorised by Union Law.
    • Whether there are derogations in place for specific situations?

The old SCCs were considered a tick-box exercise with little or no consideration to the spirit of the international personal data transfer mechanism. This is no longer the case, thanks to the Schrems II ruling, where invalidating the Privacy Shield also made it clear that data exporters must conduct transfer impact assessments (TIAs) to verify, on a case-by-case basis, if the laws of the third country have an impact on the efficiency of the SCCs.

Schrems II made it clear that, just because you have signed the SCCs, it doesn’t mean you have ensured there are protections, enforceable rights and legal remedies that are ‘essentially equivalent’ to those guaranteed under UK GDPR and EU GDPR. The new SCCs address the concerns raised by the Court of Justice of the European Union (CJEU) in the Schrems II judgement.

Now, transfers that are made using any of the Article 46 tools, for example SCCs, may only be relied on if the exporting organisation has undertaken a documented case-by-case assessment to ensure the personal data (and data subjects) remain protected to the required standard. This assessment is commonly known as the TIA.

Let’s look at some examples of transfers and where a TIA may be applicable:

Example Outcome 
EU personal data transferred to adequate third country, then onwards transfer to non adequate third country TIA applicable 
EU personal data being transferred to non adequate country TIA applicable 

Please note: For existing contracts that use the old SCCs, companies have until 27 December 2022 to transition to the new SCCs 

What’s a TIA?

This is a risk assessment, and can be compared to a privacy impact assessment, that is undertaken by the exporting organisation, taking into consideration whether personal data will be protected by SCCs in the third country and whether supplementary measures are required. These are usually a series set of questions asked of the importing organisations, regardless of being affiliates, to see whether there are adequate measures in place for the restricted transfer to take place.

How do we conduct a TIA?

This is a subjective risk assessment and can be a hard task to undertake. It’s important to get it right and ensure that the Europe Data Protection Boards Recommendations are taken into consideration.

It provides data exporters to follow six steps to assess risks related to transfers:

  • Personal data mapping – you need to know your transfers; find out where your personal data is going and why. This would include onward transfers see below.
  • Verify the transfer mechanism such as an adequacy decision or transfer toolslisted under Article 46 GDPR
  • Conduct an assessment of laws and practices of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer. You need to ensure that the level of protection in the importing country is equivalent to that guaranteed under the UK/ EU GDPR. You should have particular regard to the potential for access by public authorities of the third country, including rights and remedies available to data subjects.
  • Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred (under an Article 46 tool) up to the required standard of essential equivalence. Examples of supplementary measures include:
    • Anonymisation or pseudonymisation of personal data
    • Encryption
    • Deploying specific technical and organisational measures
  • Take any formal procedural steps the adoption of the supplementary measure(s) may require; this is dependent on the Article 46 GDPR transfer tool that you are relying on.
  • Re-evaluate, at appropriate intervals, the level of protection afforded to the personal data that’s transferred to third countries and monitor if there have been or there will be any developments that may affect it.

If the TIA reveals a potential issue, then the exporting organisation needs to evaluate whether the use of supplementary measures could be used and then repeat the assessment to see whether the issue can be resolved. If the TIA indicates, even after considering all supplementary measures, that the required level of protection is not provided, then the exporting organisation should not proceed with the transfer.

Who should carry out the TIA?

The exercise is a complicated one and may involve different functions of the business. In a small organisation, where there aren’t many functions, such a task may fall under one person but ultimately this would be Legal and Information Security.

It is important that you get this right. Laws and practices in another country are not readily found on the internet or necessarily correct, our lawyers can help identify and interpret laws as we have the expertise to do so.

Where supplementary measures have been put forward, these would need to be assessed by the information security team as they would be best able to consider whether the importing organisations’ technical measures are sufficient to keep the personal data safe. We can assist your information security team by dissecting the information they need to consider from the importing organisation, to ensure their assessment is fit for purpose.

Dealing with onward transfers

Whilst you may have satisfied yourself that the importing country has in place adequate measures for a restricted transfer to take place, you need to also ensure that the same flows down the chain.

For example: 

  • EU personal data is sent from the EU to Japan – The European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection. Japan has received a decision of adequacy allowing personal data to flow freely between the EU and Japan, based on strong protection guarantees.
  • EU personal data is then sent from Japan to India and processed (a sub-processor)

The EDPB recommendation states that transferring personal data to third counties ‘cannot be a means to undermine or water down the protection it is afforded in the EEA.’ So, in the above example, the exporting organisation should identify all transfers and sub processing chains, including India. A TIA would identify all third countries and assess at each point of transfer, whether the level of protection in the importing country is equivalent to that guaranteed under the UK GDPR and EU GDPR.

What’s the UK position on restricted transfers?

We are waiting for the ICO to publish a new set of UK SCCs, (the consultation for this closed on 7 October) to govern transfers of UK personal data to third countries. In the meantime, the old SCCs will continue to be valid. This will be updated once we have further developments on the ICO consultation, which includes the transfer risk assessment tool for UK personal data transfers.

This is a complex exercise. If you’d like help with any aspect of understanding and complying with the new SCCs and the Schrems II ruling, contact our friendly and knowledgeable experts who would be happy to help.

Back to table of contents

What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no obligation to instruct us. We aim to respond to all messages received within 24 hours.

  • Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our privacy policy.

  • This field is for validation purposes and should be left unchanged.

A national law firm

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
10 Fitzroy Square, London, W1T 5HP
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
2-5 Velocity Tower, 1 St Mary’s Square, Sheffield, S1 4LP
Like what you're reading?

Like what you're reading? Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe