Do I need to do a Personal Data Transfer Impact Assessment?

Be compliant with the GDPR by creating a Transfer Impact Assessment
Photo by bady abbas on Unsplash

Earlier this year, the Court of Justice of the EU (CJEU) reached a decision in the Schrems II case. The court invalidated the European Commission’s 2016 decision, known as decision 2016/1250, that Privacy Shield was adequate to enable data transfers under EU law to the United States.

This decision has invalidated the EU-U.S. Privacy Shield. It also clarified that the use of standard contractual clauses (SCCs) requires data controllers to conduct a case-by-case assessment of the level of data protection that SCCs can provide, taking into account the nature of the personal data transfer(s) and the country of destination.

Therefore, a personal data transfer impact assessment (TIA) is now necessary after the Schrems II case when you are exporting data from the European Union to third countries.

What is a Data Transfer Impact Assessment?

Much like a Privacy Impact Assessment (PIA) or Legitimate Interest Impact Assessment (LIA), a Transfer Impact Assessment (TIA) is a risk assessment of the factors related to the transferred of data into third countries. GDPR and the Schrems II ruling does not identify the specific factors that a business must consider when it comes to determining your assessment. However, we believe that Data protection authorities (DPAs) are expecting TIAs to include considerations such as;

  • Likelihood of government access to the data
  • If the data is within the scope of intelligence and law enforcement activities
  • Adequate protections in place
  • The legal framework or applicable privacy and security standards in the country you are transferring to
  • The general human rights ratings of the country

How do I conduct a Data Transfer Impact Assessment?

If you must perform a TIA, based on the countries you are transferring data to, you should begin early in the life of your project.

You should conduct the assessment before you start processing data. It should run adjacent to the planning and development process and include the steps outlined below.

Describe the Legal frameworks offers in the destination country

These would be the applicable privacy and security standards in the country, include whether the country has adhered to international agreements on data protection and cybersecurity (e.g. OECD Guidelines on Data Protection, Convention 108, Budapest Convention on Cybercrime, UN Charter of Human Rights, Madrid Resolution: International Standard on the Protection of Personal Data and Privacy, etc.)

Outline the availability of an independent mechanism for individuals

Is there an effective recourse mechanism for data subjects (including EU individuals) to enforce their rights under the law of the country of destination?

Availability of legal means for organisations to challenge government access requests

Much like individuals, does the organisation that will be receiving the personal data be able to challenge access requests? Is the data importer a member or public supporter to organisations advocating for the defence of human rights?

Consider the Context

At this stage, think about the ways this data could be accessed by government intelligence and law enforcement agencies. Does the country have a history and likelihood of government access requests in the specific context of the transfer?

Evaluate Data Protection Risks

Perhaps the most important step in a TIA, this is where you'll analyse data protection and privacy from all angles. List and consider all potential threats to data security and privacy.

Is there a Transfer Impact Assessment template?

There is no official Transfer Impact Assessment template, and conducting a TIA can be a confusing, complicated process. But we have designed to be flexible and scalable for your organisation. You don't have to go it alone.

With Dapple, you can breeze through your compliance responsibilities and get back to running your business.

A Transfer Impact Assessment provided by DappleDapple allows you to easily create your Transfer Impact Assessment, for each third party country, for all personal data your company handles. Then, your DPO can generate and send those documents directly to your data protection supervisory authority.

Are you ready to see how easy compliance can be? Sign up and try Dapple for your business!

Get started with your Personal Data Transfer Impact Assessment template!
How to Conduct a Record of Processing for Personal Data to Comply with the GDPR
How to Conduct a Data Privacy Impact Assessment
How to Conduct a Legitimate Impact Assessment
Do I need to do a Personal Data Transfer Impact Assessment?
Data protection impact assessment template in excel vs Dapple
GDPR compliance - what documents do you need?