If you are an organisation transferring personal data out of the EU, you may need a ‘Transfer Impact Assessment’ – an international data transfer risk assessment which is mandatory under the GDPR.
In this guide, we’ll explain what a Transfer Impact Assessment is and the key steps involved in conducting one.
This is a complex topic and there are different approaches depending on whether the GDPR (EU data protection law) or UK GDPR applies, so please contact our team if you’d like advice on this and your specific transfers of personal data.
Jump to:
- What is a Transfer Impact Assessment under the GDPR?
- What is a ‘Restricted Transfer’ of personal data under the GDPR and why does it matter?
- Why do I need a Transfer Impact Assessment if I’m putting in place appropriate safeguards, such as using the SCCs?
- How do I conduct a Transfer Impact Assessment under the GDPR?
- Why do Transfer Impact Assessments matter?
- What about transfers of personal data outside of the UK, subject to the UK GDPR?
- Transfer Risk Assessments under the UK GDPR
- The ICO’s Transfer Risk Assessment sets out 6 questions:
- How Harper James can help
What is a Transfer Impact Assessment under the GDPR?
A ‘Transfer Impact Assessment’ is a risk assessment used for the purposes of transferring personal data from the EU to certain non-EU countries.
A Transfer Impact Assessment is needed to make sure that when personal data of individuals in the EU is transferred outside of the EU, it’s still protected in the same way it needs to be protected under the GDPR.
The organisation exporting personal data outside of the EU needs to carry out this assessment, to check if the relevant transfer of personal data will be safe or not.
As part of a Transfer Impact Assessment, the organisation exporting personal data needs to consider a series of questions, to check if personal data will be adequately protected. These are covered further, below.
What is a ‘Restricted Transfer’ of personal data under the GDPR and why does it matter?
You’ll need to consider a Transfer Impact Assessment when you are making a ‘restricted transfer’ of personal data.
Restricted transfers occur where EU (or UK) personal data is being transferred to other ‘third countries’, where such transfers of data would be prohibited by the GDPR and UK GDPR.
For the purposes of GDPR, to identify a restricted transfer, you need to look at whether you are sending personal data outside of the EU and consider:
- Which country or countries are you sending the personal data to?
- Are the countries you’re sending the personal data deemed to afford an adequate level of protection to personal data? If the countries you’re sending the personal data to are subject to an adequacy decision, this means you can send personal data to them freely.
- If the countries are not subject to an adequacy decision, have you put in place appropriate safeguards such as Binding Corporate Rules (BCRs) or commonly used Standard Contractual Clauses (SCCs)?
- Do any other exemptions or derogations apply under the GDPR, which would allow you to send personal data to those countries?
- If you determine that you need appropriate safeguards in place, such as SCCs, to govern the transfer of personal data outside of the EU, then you’ll need to consider carrying out a Transfer Impact Assessment.
Why do I need a Transfer Impact Assessment if I’m putting in place appropriate safeguards, such as using the SCCs?
Since the Schrems II ruling, which was famously known for invalidating the Privacy Shield, it was made clear that organisations transferring personal data outside of the EU and UK must conduct Transfer Impact Assessments to verify, on a case-by-case basis, if the laws of the third country to which personal data has been sent has any impact on the efficiency of the SCCs. Just because you have signed the SCCs it doesn’t mean you have ensured there are protections, enforceable rights and legal remedies that are ‘essentially equivalent’ to those guaranteed under GDPR.
Now, transfers that are made using any of the Article 46 GDPR tools (for example SCCs) may only be relied on if the exporting organisation has undertaken a documented case-by-case Transfer Impact Assessment to ensure the personal data (and data subjects) remain protected to the required standard under GDPR.
In summary, it’s vital for data exporters (controllers or processors), in partnership with the organisation receiving data in the third country (data importers) to evaluate the laws of the destination country to which personal data is being sent and put in place measures to make sure that personal data is protected when it is sent to those countries, to the same level as it would be under the GDPR.
How do I conduct a Transfer Impact Assessment under the GDPR?
The European Data Protection Board (EDPB) made various recommendations about what a Transfer Impact Assessment needs to cover, as set out below.
Certain steps in the assessment process are very difficult to deal with in practice, but it’s vital that you get this right and make sure that the Europe Data Protection Boards Recommendations are taken into consideration.
The EDPB recommends the following 6 steps to assess risks related to transfers:
| STEP 1 Personal data mapping | As a first step, you need to know your international data transfers, where your data is going and why. Note that data ‘transfer’ also includes access to personal data from a third country. |
| STEP 2 Verify the transfer mechanism | Under GDPR, there’s a general rule against transferring personal data outside of the EU and EEA – unless the data is transferred to a country that’s considered adequate by the European Commission (e.g. the UK) or subject to an appropriate safeguard such as BCRs or SCCs, or if it benefits from a derogation for specific circumstances (but that’s rarely used). See the guidance on transfer tools listed under Article 46 GDPR. |
| STEP 3 Assess the local laws of the country you’re sending personal data to | You need to ensure that the level of protection in the importing country is equivalent to that guaranteed under the GDPR. For this step, you’ll need to assess the laws of and practices of the third country and check if they will have an effect on the value of your appropriate safeguards or transfer tools (e.g. your SCCs). You should consider the potential for access to the data by public authorities of the third country, including rights and remedies available to data subjects. In practice, this is a very difficult step and you may need to take local law advice, for example, to check the extent to which public authorities could access personal data in those countries, what surveillance powers are available and what safeguards are in place to limit those powers. |
| STEP 4 Identify and adopt supplementary measures | You’ll need to identify which extra measures are necessary to bring the level of protection of the data transferred (under an Article 46 tool) up to the standard that is needed to protect the personal data that you are sending to the third country. Examples of supplementary measures include anonymisation or pseudonymisation of personal data and encryption. This can again be very difficult to tackle in practice. |
| STEP 5 Take any formal procedural steps | You’ll need to take any formal procedural steps that the adoption of the supplementary measure(s) may require - this is dependent on the Article 46 GDPR transfer tool that you are relying on. |
| STEP 6 Re-evaluate | You’ll need to re-evaluate, at appropriate intervals, the level of protection afforded to the personal data that is transferred to third countries and monitor if there have been or will be any developments that may affect it. You’ll need to keep a close eye on your data transfers and ensure your assessments are updated when necessary – you’ll also need to understand if any local law updates are relevant to your assessments and local lawyers can assist with this. |
- You might need to carry out more than one Transfer Impact Assessment per country, depending on which types of personal data are being transferred.
- You should also be careful when dealing with onward transfers of personal data - whilst you may have satisfied yourself that the importing country has in place adequate measures for a restricted transfer to take place, you need to also ensure that the same flows down the chain, (e.g. if further transfers of personal data are made from the importing country to other countries). This is a complicated point, so please contact us if you’d like advice on this.
- If your assessment reveals a potential issue, then you’ll need to evaluate whether the use of supplementary measures could be used and then repeat the assessment to see whether the issue can be resolved. If the Transfer Impact Assessment indicates, even after considering all supplementary measures, that the required level of protection is not provided, then you should not proceed with the transfer. So, in the worst-case scenario, you may have to suspend the transfer of personal data outside of the EU.
- Regardless of the decision made, you should ensure that you document all the steps you have followed as part of the assessment and note that data protection authorities could request to see your documentation and what you have considered as part of this process.
Why do Transfer Impact Assessments matter?
Transfer Impact Assessments are critical, and a lot can go wrong if you get this wrong. As a prime example, Meta (owner of Facebook) was hit with a record-breaking fine of €1.2 billion by the Irish data protection regulator, the largest fine ever issued under the GDPR.
The fine was issued because the tech giant’s transfer of personal data from the EU and EEA to the US was found to be in breach of GDPR. Although the company had in place SCCs, the regulator found that it did not properly address the risks to personal data being transferred to the US with suitable ‘supplemental measures’. See our article on this.
For further information on what happens if you get data protection law compliance wrong, see our article.
What about transfers of personal data outside of the UK, subject to the UK GDPR?
Our guidance above focusses on legal rules under the GDPR (EU data protection law). In the UK, companies need to follow the UK GDPR and the UK Data Protection Act.
As an appropriate safeguard for the transfer of personal data outside of the UK, organisations can use the UK International Data Transfer Agreement (IDTA), or an addendum to the European Commission’s SCCs for international data transfers (UK Addendum) together with the European Commission SCCs.
If you’d like to learn more about restricted transfers and which approach is best to adopt; the IDTA or the UK addendum, then please read our guidance explaining data transfers from the UK.
Transfer Risk Assessments under the UK GDPR
In the UK, organisations can use a ‘Transfer Risk Assessment’. A Transfer Risk Assessment allows organisations to make a restricted transfer from the UK by ensuring appropriate safeguards are in place to address the circumstances of the restricted transfer. A Transfer Risk Assessment must always be conducted prior to putting in place Article 46 appropriate safeguards, and can be said to be the UK equivalent to the Transfer Impact Assessment under EU GDPR.
The UK ICO has published a Transfer Risk Assessment Tool and guidance. This tool is designed to apply only to non-complex transfers and shouldn’t be used for high-risk processing activities. The ICO’s tool is only suitable for UK GDPR compliance, so if EU GDPR applies to an international data transfer, then the EDPB guidance (above) needs to be followed.
The Transfer Risk Assessment would enable a data exporter to determine if the transfer mechanism they intend to use for the restricted data transfer provides an adequate level of protection for that transfer. The ICO’s approach focusses upon whether transfers of personal data will increase risk to the privacy of individuals, as opposed to if their data stays in the UK. If a significant risk is presented, then the transfer shouldn’t go ahead. The ICO’s approach looks at human rights in the destination country and attempts to present a business friendly and practical approach.
The ICO has also set out guidance on what constitutes a restricted transfer and who is responsible for conducting this assessment – please contact us if you would like advice on these points.
The ICO’s Transfer Risk Assessment sets out 6 questions:
| Question 1 What are the specific circumstances of the restricted transfer? | Here, organisations need to consider detailed information on the relevant restricted transfer e.g. which personal data is being transferred and why, together with any measures adopted protect the data which is being transferred. |
| Question 2 What is the level of risk to people in the personal information you are transferring? | Here, organisations need to assess the level of risk involved in the transfer of personal data – i.e. a low, moderate or high-risk. |
| Question 3 What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organisation? | Here, organisations should assess what level of investigation needs to be carried in relation to the data being transferred. |
| Question 4 Is the transfer significantly increasing the risk for people of a human rights breach in the destination country? | Here, organisations need to assess if the transfer of personal data will increase the risk of the data subjects suffering a human rights breach, in the country personal data is sent to. |
| Question 5 (a) Are you satisfied that both you and the people the information is about will be able to enforce the Article 46 transfer mechanism against the importer in the UK? (b) If enforcement action outside the UK may be needed: Are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country (or elsewhere)? | This question requires organisations to assess whether themselves and the relevant data subjects would be able to enforce their rights under Article 46 (e.g. under the SCCs), in the UK against the relevant data importer, or in the third country or elsewhere. |
| Question 6 Do any of the exceptions to the restricted transfer rules apply to the 'significant risk data'? | The final question considers whether any exemptions apply to the ‘significant data’ e.g. if the organisation has taken explicit consent from the data subject to allow for their personal data to be transferred to the relevant third country. |
Organisations can use the ICO’s tool and questions, to decide whether to proceed with the international transfer of personal data. If it’s determined that the organisation’s Article 46 mechanism won’t provider effective safeguards and protect the rights of the data subject, then the restricted transfer cannot go ahead.
There are various differences between a Transfer Impact Assessment under the EU GDPR and a Transfer Risk Assessment under the UK GDPR and the ICO allows organisations to use either the EDPB’s guidance or its own tool – see our article on this.
Although it may be easier to use, the ICO’s Transfer Risk Assessment tool might not be appropriate, depending on the nature of your international data transfers. Please contact us if you’d like advice on this.
How Harper James can help
It is important that you get this right. Our data protection and GDPR legal experts can assist you in your Transfer Impact Assessments used for data transfers between EU and non-EU countries. We can also assist with Transfer Risk Assessments for the transfer of data from the UK to countries that are not covered by UK ‘adequacy regulations’.
There are a lot of complex factors to consider, including the laws of different countries. Laws and practices in another country are not readily found on the internet or necessarily correct, but our lawyers can help identify and interpret laws for you.
Where supplementary measures have been put forward as part of an assessment, such measures need to be assessed by an organisation’s information security team to check if they keep the personal data safe. We can assist your information security team by analysing the information they need to consider from the importing organisation, to ensure their assessment is fit for purpose.
As this guide has explained, this is a detailed and complicated exercise. If you’d like help with any aspects of the topics covered, get in touch with our friendly and knowledgeable experts who would be happy to help.
