TIA / TRA / IDTA

Transfer Impact Assessments, Transfer Risk Assessment, International Data Transfer Agreement Ensure Data TransferCompliance: DPOsphere Experts for IDTA, TIA, and TRA
Contact us

What is Transfer Impact Assessments?

A TIA is a risk assessment that the exporting organization conducts to determine whether personal data will be appropriately safeguarded by SCCs in the third country and whether additional precautions are necessary. It is comparable to a privacy impact assessment.  The importing organizations are typically questioned about these, regardless of whether they are affiliates, to determine whether sufficient safeguards are in place to allow the limited transfer to occur. 

How do we conduct a TIA?

This subjective risk evaluation can be challenging to complete. Making sure that the European Data Protection Board’s recommendations are taken into account is crucial.

It outlines the six actions below for data exporters to follow in order to evaluate transfer-related risks.

Whether the TIA identifies a potential problem, the exporting organization must determine whether the deployment of supplemental measures could be appropriate before reevaluating the problem to see whether it can be fixed. The exporting organization shouldn’t move forward with the transfer if the TIA reveals that the necessary level of protection is not supplied even after taking into account all additional measures. 

Personal data mapping

Be aware of your transfers and ascertain where and why your personal data is being used. Onward transfers would fall under this; see below. 

Check the transfer tool

Check the transfer tool such as an adequacy determination or one of the transfer mechanisms indicated in Article 46 GDPR.

In the context of your individual transfer, evaluate the laws and customs of the third country that may have an impact on the efficacy of the proper protections of the transfer tools you are using.

You must make sure that the level of protection offered by the importing nation is on par with that promised by the UK/EU GDPR. Particular attention should be paid to the possibility of access by public authorities of the third country, as well as the rights and recourses offered to data subjects. 

Find and implement any additional steps required to raise the degree of protection of the data transferred (through an Article 46 tool) to the necessary level of essential equivalency.

Examples of additional measures are:
– Personal data anonymization or pseudonymization
Encryption
– Using specialized organizational and technical measures

Take any formal procedural actions

Depending on the Article 46 GDPR transfer instrument you are using, take any formal procedural actions that the adoption of the supplementary measure(s) may call for. 

Reassess the level of protection

Reassess the level of protection provided to personal data transferred to third countries at appropriate intervals, and keep an eye out for any developments that might have an impact. 

What is Transfer Risk Assessment (TRA)?

By confirming that the necessary measures are in place to address the circumstances of the restricted transfer, a transfer risk assessment (TRA) enables organizations to make a restricted transfer from the UK. An IDTA, which is essentially the TIA in the UK, must always be implemented before a TRA is completed.
The ICO’s TRA tool has a three step process to assess risk:

  • Assessing the transfer
  • Is the IDTA likely to be enforceable in the destination country?
  • Is there appropriate protection for the data from third-party access?

A data exporter could decide whether the transfer mechanism they intend to employ for the restricted data transfer offers an acceptable level of protection for that transfer by using a risk assessment, or TRA. With its use of the TRA tool, the ICO makes it plain that they are not assessing if a nation has a surveillance program, but rather whether it has safeguards that strike a balance between “necessity and proportionality.”

How is the ICO’s TRA tool different to EDPB’s TIA

The following dangers to the rights of data subjects in the destination country are of particular concern to the ICO because the data importer is constrained by the conditions of the Article 46 transfer mechanism (such as the SCCs):

  • The danger that transferred personal data will be accessed by third parties (such government and public bodies) who are not subject to the Article 46 transfer tool;
  • The risk to people’s rights resulting from challenges implementing the Article 46 transfer mechanism.

 

The ICO’s TRA tool comprises six questions. The six-stage TIA methodology used by the EDBP is contrasted below. 

What are the specific circumstances of the restricted transfer? 

1

What is the level of risk to people in the personal information you are transferring? 

2

What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organization?

3

Is the transfer significantly increasing the risk for people of a human rights breach in the destination country? 

4

Are you satisfied that both you and the people the information is about will be able to enforce the Article 46 transfer mechanism against the importer in the UK? If enforcement action outside the UK may be needed: Are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country (or elsewhere)? 

5

Do any of the exceptions to the restricted transfer rules apply to the “significant risk data”?

6

Know your transfers 

1

Verify the transfer tool your transfer relies on

2

Assess if anything in the law and/or practices of the third country may impinge on the effectiveness of the transfer tool

3

Adopt supplementary measures, if necessary, to bring the level of protection to the EU Standard of essential equivalence

4

Take any formal procedural steps to adopt the supplementary measures 

5

Regularly re-evaluate

6

The ICO has offered TIAs as an alternative, although it will still recognize risk assessments that use the EDPB methodology.

First, depending on the kind and quantity of the personal data, the TRA proposes to rate the level of risk in the personal data subject to transfer. Based on its assessment, the ICO provides a sample list of personal data categories with assigned levels of risk (for example, a name has a “low” risk, whereas a gender carries a “high” risk).

The ICO also considers whether any rise in the danger to people’s human rights will result from the transfer of personal data out of the UK. “Are people in a sufficiently similar position about any risks to their data privacy and human rights?” is the issue the ICO requires the data exporter to address in the TRA. The ICO offers a variety of technical solutions to safeguard personal data, from password security and staff education to more well-known EDPB recommendations like encryption and pseudonymization.

What is the IDTA?

The IDTA is a contract for you to use when making a restricted transfer of personal data to a country outside the UK. The Information Commissioner decided that, the IDTA contains appropriate safeguards for the Transferred Data, including effective and enforceable data subject rights. The IDTA ensures that the relevant protections for Data Subjects of the Transferred Data, are sufficiently similar to UK protections.
How does the IDTA work?

You, the person sending the data, are the Exporter. The person who receives the data is the Importer. The Exporter and the Importer both enter into the IDTA.

The IDTA contains:

Tables which you should use to set out specific information about the Exporter, the Importer and the restricted transfer;

A set of Mandatory Clauses which must always be included. This includes the Legal Glossary.

The option to include extra protection clauses. When you complete your TRA, you may decide that the IDTA needs extra steps in order to provide the right level of protection. These can be set out in this section, but must be included in the IDTA or the Linked Agreement if the IDTA is to work as an appropriate safeguard;

The option to include commercial clauses agreed by the Exporter and Importer, provided that these do not contradict the IDTA;

Ensure Data Transfer Compliance: DPOsphere Experts for IDTA, TIA, and TRA

Our DPOsphere data protection experts can assist you in your IDTA and Transfer Impact Assessments (TIA) used for data transfers between EU and non-EU countries. We can also assist with Transfer Risk Assessments (TRA) for the transfer of data from the UK to countries that are not covered by UK ‘adequacy regulations’.
Contact Us