Knowledge Hub
for Growth


Transfer Impact Assessments (TIAs)

Our data protection and GDPR legal experts can assist you in your Transfer Impact Assessments used for data transfers between EU and non-EU countries. We can also assist with Transfer Risk Assessments (TRAs) for the transfer of data from the UK to countries that are not covered by UK ‘adequacy regulations’.

In this guide we decipher the terminology and process for conducting data transfer assessments.

What are restricted Transfers

Restricted transfers are where UK (or EU) personal data is being transferred to third countries, where transfers would be prohibited by Data Protection Laws without a legal basis under Chapter V of the GDPR. To identify a restricted transfer, you need to consider:

  • Is there any personal data involved? This may seem like an obvious question, but it's important to be able to differentiate from personal data and just data.
  • Where’s it going?
  • Does the Importing country have adequate Data Protection Laws in place? Have you considered:
    • Whether the transfer is subject to appropriate safeguards (Article 46 tools) such as binding corporate rules or standard contractual clauses (SCCs)
    • Whether the transfer is authorised by Union Law

The old SCCs were considered a tick-box exercise with little or no consideration to the spirit of the international personal data transfer mechanism. However, this is no longer the case thanks to the Schrems II ruling, where amongst invalidating the Privacy Shield it has also made it clear that data exporters must conduct transfer impact assessments (TIAs) to verify, on a case-by-case basis, if the laws of the third country has an impact on the efficiency of the SCCs.

Schrems II made it clear that just because you have signed the SCCs it doesn’t mean you have ensured there are protections, enforceable rights and legal remedies that are ‘essentially equivalent’ to those guaranteed under UK GDPR and EU GDPR. The new SCCs, therefore address the concerns raised by the Court of Justice of the European Union (CJEU) in the Schrems II judgement.

Now, transfers that are made using any of the Article 46 tools, for example SCCs, may only be relied on if the exporting organisation has undertaken a documented case-by-case assessment to ensure the personal data (and data subjects) remain protected to the required standard. This assessment is commonly known as the TIA.

Let’s look at some examples of transfers and where a TIA may be applicable

ExampleOutcome
EU personal data transferred to adequate third country, then onwards transfer to non adequate third countryTIA applicable
EU personal data being transferred to non adequate countryTIA applicable

What’s a TIA?

A TIA is a risk assessment, and can be compared to a privacy impact assessment, that is undertaken by the exporting organisation, taking into consideration whether personal data will be adequately protected by SCCs in the third country and whether supplementary measures are required.  These are usually a series set of questions asked of the importing organisations, regardless of being affiliates, to see whether there are adequate measures in place for the restricted transfer to take place.

How do we conduct a TIA?

This is a subjective risk assessment and can be a hard task to undertake. It’s important to get it right and ensure that the Europe Data Protection Boards Recommendations are taken into consideration.

It provides data exporters to follow six steps to assess risks related to transfers:

  • Personal data mapping – you need to know your transfers; find out where your personal data is going and why. This would include onward transfers see below.
  • Verify the transfer mechanism such as an adequacy decision or transfer tools listed under Article 46 GDPR.
  • Conduct an assessment of laws and practices of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer. You need to ensure that the level of protection in the importing country is equivalent to that guaranteed under the UK/ EU GDPR. You should have particular regard to the potential for access by public authorities of the third country including rights and remedies available to data subjects.
  • Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred (under an Article 46 tool) up to the required standard of essential equivalence. Examples of supplementary measures include:
    • Anonymisation or pseudonymisation of personal data
    • Encryption
    • Deploying specific technical and organisational measures
  • Take any formal procedural steps the adoption of the supplementary measure(s) may require; this is dependent on the Article 46 GDPR transfer tool that you are relying on.
  • Re-evaluate, at appropriate intervals, the level of protection afforded to the personal data that’s transferred to third countries and monitor if there have been or there will be any developments that may affect it.

If the TIA reveals a potential issue, then the exporting organisation needs to evaluate whether the use of supplementary measures could be used and then repeat the assessment to see whether the issue can be resolved. If the TIA indicates, even after considering all supplementary measures, that the required level of protection is not provided, then the exporting organisation should not proceed with the transfer.

Who should carry out the TIA?

The exercise is a complicated one and may involve different functions of the business. In a small organisation, where there aren’t many functions, such a task may fall under one person but ultimately this would be Legal and Information Security.

It is important that you get this right. Laws and practices in another country are not readily found on the internet or necessarily correct, our lawyers can help identify and interpret laws as we have the expertise to do so.

Where supplementary measures have been put forward, these would need to be assessed by the information security team as they would be best able to consider whether the importing organisations’ technical measures are sufficient to keep the personal data safe. We can assist your information security team by dissecting the information they need to consider from the importing organisation, to ensure their assessment is fit for purpose.

Dealing with onward transfers

Whilst you may have satisfied yourself that the importing country has in place adequate measures for a restricted transfer to take place, you need to also ensure that the same flows down the chain.

For example:

  • EU personal data is sent from the EU to Japan - The European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection. Japan has received a decision of adequacy allowing personal data to flow freely between the EU and Japan, based on strong protection guarantees.
  • EU personal data is then sent from Japan to India and processed (a sub-processor).

The EDPB recommendation states that transferring personal data to third countries 'cannot be a means to undermine or water down the protection it is afforded in the EEA.' So, in the above example, the exporting organisation should identify all transfers and sub processing chains, the TIA would identify all third countries and assess at each point of transfer, whether the level of protection in the importing country is equivalent to that guaranteed under the UK GDPR and EU GDPR.

What’s the UK position on restricted transfers?

We now have clarification on the transfer of personal data to outside the UK. The new UK International Data Transfer Agreement (IDTA), with an addendum to the European Commission’s standard contractual clauses for international data transfers ('UK Addendum'), came into force on 21 March 2022. Collectively these will be referred to as the UK standard contractual clauses (UK SCCs).

If you’d like to learn more about restricted transfers and which approach is best to adopt; the IDTA or the UK addendum, then please read our guidance explaining data transfers from the UK.

This is a complex exercise. If you’d like help with any aspect of understanding and complying with the new SCCs and the Schrems II ruling, get in touch with our friendly and knowledgeable experts who would be happy to help.

What’s a Transfer Risk Assessment?

A transfer risk assessment (TRA) allows organisations to make a restricted transfer from the UK by ensuring appropriate safeguards are in place to address the circumstances of the restricted transfer. A TRA must always be conducted prior to putting in place an IDTA, which can be said to be the UK equivalent to the TIA.

The ICO’s TRA tool has a three step process to assess risk:

  1. Assessing the transfer 
  2. Is the IDTA likely to be enforceable in the destination country? 
  3. Is there appropriate protection for the data from third-party access? 

A TRA is a risk assessment that would enable a data exporter to determine if the transfer mechanism they intend to use for the restricted data transfer provides an adequate level of protection for that transfer.  The ICO makes clear with their application of the TRA tool, this wouldn’t be considering whether a country has a surveillance program, but rather the country has safeguards that balance ‘necessity and proportionality.’


What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no obligation to instruct us. We aim to respond to all messages received within 24 hours.

  • This field is for validation purposes and should be left unchanged.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.


Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
2-5 Velocity Tower, 1 St Mary’s Square, Sheffield, S1 4LP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe


To access legal support from just £125 per hour arrange your free no-obligation initial consultation to discuss your business requirements.

Make an enquiry