Impact Assessment of International Data Transfers Under EU GDPR & UK GDPR
Personal Data Transfers Under the EU GDPR
Articles 44 to 50 of the GDPR deal with the disclosure of personal information to third parties or foreign organizations. The European Commission’s “Adequacy Decision” is the first place to turn to determine the legality of an ongoing international personal data transfer.
In the absence of an adequacy judgment, the controller or processor must take efforts to compensate for the lack of data protection in a third country by providing sufficient safeguards to the data subject. Acceptable measures include the adoption of binding corporate rules, standard data protection provisions issued by the Commission, standard data protection clauses adopted by a supervisory authority, or contractual clauses certified by a supervisory body.
What Is Transfer Impact Assessment – TIA?
In the field of privacy, “Transfer Impact Assessment” (TIA) is a relatively new concept. Clause 14 of the new standard contractual clauses (SCC), which were released by the European Commission in June 2021, establishes the requirement to carry out a TIA.
In personal data transfer processes, a TIA is an evaluation of the effect and security implications of a transfer to a nation outside the EEA that is not the subject of an adequacy decision by the Commission by a data controller or data processor.
Organizations should conduct a transfer impact assessment (TIA) to evaluate:
• The availability of access requests from third-country government agencies,
• The legal system of a third country,
• The actual adoption of a third country’s legal system,
• If businesses have the ability to refuse government access requests,
• If legally binding international treaties (for example, Convention 108) have been signed,
• If a separate privacy and data protection supervisory authority has been formed,
• If data subjects have legal remedies accessible to them, and how far these remedies extend outside national borders.
A TIA can assist organizations in determining whether the transfer tool they are relying on will be effective in the specific circumstances of the transfer, but it will also highlight any additional steps that may be required to ensure a roughly equivalent level of data protection to that found under the GDPR.
GDPR in the United Kingdom
If you rely on the Article 46 transfer mechanism, you must complete a risk assessment. This risk assessment will help you determine if the relevant safeguards for persons under the UK data protection framework will be jeopardized as a result of the transfer circumstances and the implementation of your chosen Article 46 transfer mechanism.
What exactly is a Transfer Risk Assessment (TRA)?
By conducting a TRA, you can be confident that the Article 46 transfer process will provide the required safeguards and effective, enforceable rights to individuals in the specific circumstances of your restricted transfer.
There are two major types of risk that your TRA must consider:
• Threats to persons’ rights in destination countries posed by third parties, particularly governmental and public institutions, who have access to the information but are not subject to the Article 46 transfer procedure.
• Threats to people’s rights as a result of legal challenges to the transfer process outlined in Article 46.
When Should a TRA Be Performed?
You must undertake a TRA if you are performing a restricted personal data transfer and intend to employ one of the Article 46 transfer mechanisms, such as the IDTA, Addendum, or BCRs.