Transfer Impact Assessments (TIAs)

Last updated: 12 October 2021

Estimated reading time: 2 minutes

Member View

Our data protection and GDPR legal experts are able to assist you in your transfer impact assessments used for data transfers between EU and non-EU countries. This will be updated once we have further developments on the ICO consultation, which includes the transfer risk assessment tool for UK personal data transfers.  

Jump to:

  1. Introduction
  2. What’s a transfer impact assessment?
  3. How do we conduct a TIA?

Introduction

Prior to the new EU standard contractual clauses (SCCs), some could say the old SCCs were considered a tick box exercise, with little or no consideration to the spirit of the international personal data transfer mechanism. This is no longer the case, thanks to the Schrems II ruling where, amongst invalidating the Privacy Shield, it also made it clear that data exporters must conduct transfer impact assessments to verify, on a case-by-case basis, if the laws of the third country have an impact on the efficiency of the SCCs. 

The new SCCs, address the concerns raised by the Court of Justice of the European Union (CJEU) in the Schrems II judgement. 

What’s a transfer impact assessment?

This is a risk assessment, and can be compared to a privacy impact assessment, that is undertaken by the exporting controller, taking into consideration whether personal data will be adequately protected by SCCs in the third country and whether supplementary measures are required. 

How do we conduct a TIA?

This is a subjective risk assessment and can be a challenging task to undertake. It’s important to get it right and ensure that the Europe Data Protection Boards Recommendations are taken into consideration.  

The recommendations provide six steps for data exporters to follows to assess third countries and be able to identify appropriate supplementary measures. Here is a summary of the steps: 

  • Personal data mapping – you need to know your transfers; find out where your personal data is going and why. 
  • Verify the transfer mechanism such as an adequacy decision or transfer tools listed under Article 46 GDPR. 
  • Conduct an assessment of laws and practices of the third country that may impact the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer. 
  • Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred (under an Article 46 tool) up to the required standard of essential equivalence. 
  • Take any formal procedural steps the adoption of the supplementary measure(s) may require, this is dependent on the Article 46 GDPR transfer tool that you are relying on. 
  • Re-evaluate, at appropriate intervals, the level of protection afforded to the personal data that’s transferred to third countries and monitor if there have been or there will be any developments that may affect it. 

Once you start remediating your contracts to include the new SCCs, it may appear complex where transfer impact assessments need to be done. If you’d like help with any aspect of understanding and complying with the new SCCs and the Schrems II ruling, get in touch with our friendly and knowledgeable experts who would be happy to help. 

Back to table of contents

What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no obligation to instruct us. We aim to respond to all messages received within 24 hours.

  • Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our privacy policy.

  • This field is for validation purposes and should be left unchanged.

A national law firm

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

Floor 2, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
10 Fitzroy Square, London, W1T 5HP
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
2-5 Velocity Tower, 1 St Mary’s Square, Sheffield, S1 4LP
Like what you're reading?

Like what you're reading? Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe