TIA / TRA / IDTA
What is Transfer Impact Assessments?
How do we conduct a TIA?
This subjective risk evaluation can be challenging to complete. Making sure that the European Data Protection Board’s recommendations are taken into account is crucial.
It outlines the six actions below for data exporters to follow in order to evaluate transfer-related risks.
Whether the TIA identifies a potential problem, the exporting organization must determine whether the deployment of supplemental measures could be appropriate before reevaluating the problem to see whether it can be fixed. The exporting organization shouldn’t move forward with the transfer if the TIA reveals that the necessary level of protection is not supplied even after taking into account all additional measures.
Personal data mapping
Check the transfer tool
In the context of your individual transfer, evaluate the laws and customs of the third country that may have an impact on the efficacy of the proper protections of the transfer tools you are using.
Find and implement any additional steps required to raise the degree of protection of the data transferred (through an Article 46 tool) to the necessary level of essential equivalency.
Examples of additional measures are:
– Personal data anonymization or pseudonymization
– Encryption
– Using specialized organizational and technical measures
Take any formal procedural actions
Reassess the level of protection
What is Transfer Risk Assessment (TRA)?
By confirming that the necessary measures are in place to address the circumstances of the restricted transfer, a transfer risk assessment (TRA) enables organizations to make a restricted transfer from the UK. An IDTA, which is essentially the TIA in the UK, must always be implemented before a TRA is completed.
The ICO’s TRA tool has a three step process to assess risk:
- Assessing the transfer
- Is the IDTA likely to be enforceable in the destination country?
- Is there appropriate protection for the data from third-party access?
A data exporter could decide whether the transfer mechanism they intend to employ for the restricted data transfer offers an acceptable level of protection for that transfer by using a risk assessment, or TRA. With its use of the TRA tool, the ICO makes it plain that they are not assessing if a nation has a surveillance program, but rather whether it has safeguards that strike a balance between “necessity and proportionality.”
How is the ICO’s TRA tool different to EDPB’s TIA?
The following dangers to the rights of data subjects in the destination country are of particular concern to the ICO because the data importer is constrained by the conditions of the Article 46 transfer mechanism (such as the SCCs):
- The danger that transferred personal data will be accessed by third parties (such government and public bodies) who are not subject to the Article 46 transfer tool;
- The risk to people’s rights resulting from challenges implementing the Article 46 transfer mechanism.
The ICO’s TRA tool comprises six questions. The six-stage TIA methodology used by the EDBP is contrasted below.
1
2
3
4
5
6
1
2
3
4
5
6
The ICO has offered TIAs as an alternative, although it will still recognize risk assessments that use the EDPB methodology.
First, depending on the kind and quantity of the personal data, the TRA proposes to rate the level of risk in the personal data subject to transfer. Based on its assessment, the ICO provides a sample list of personal data categories with assigned levels of risk (for example, a name has a “low” risk, whereas a gender carries a “high” risk).
The ICO also considers whether any rise in the danger to people’s human rights will result from the transfer of personal data out of the UK. “Are people in a sufficiently similar position about any risks to their data privacy and human rights?” is the issue the ICO requires the data exporter to address in the TRA. The ICO offers a variety of technical solutions to safeguard personal data, from password security and staff education to more well-known EDPB recommendations like encryption and pseudonymization.
What is the IDTA?
You, the person sending the data, are the Exporter. The person who receives the data is the Importer. The Exporter and the Importer both enter into the IDTA.
The IDTA contains:
