When you transfer personal data across a border to another country, you should conduct a transfer impact assessment. This is following Schrems II. For example, this transfer could be from the EU to the United States. Or a transfer from the EU or UK to an African country. Controllers use a TIA to assess the data transfer mechanism, tool or appropriate safeguard they rely on in the GDPR Article 46 or POPIA section 72.

You need a Transfer Impact Assessment (TIA) template and guidance to ensure they are completed correctly. The objective is to verify that the transfer is lawful, as the controller adequately protects the personal data it is transferring by implementing sufficient measures. We have studied International trends and best practices regarding impact assessments and have conducted many for our clients. Essentially, you should conduct a TIA to assess the impact on personal data (or privacy) if you transfer it to another country.

The data exporter must check that adequate protection is in place when they export personal data to a data importer in another country.

A TIA typically considers the sufficiency of foreign protections on a case-by-case basis when a controller transfers data using a data transfer mechanism. It is an assessment of the protections of both the country to which the personal data will be exported and the data importer. Each assessment is also different based on the data processing activity involved and the personal data the data exporter is exporting.

In this article, we are discussing one kind of impact assessment (being a transfer impact assessment). You also get an organisational impact assessment and a regulatory impact assessment. You can read more about legal assessments. It is important to know which one you are referring to. You can also do a transfer impact assessment yourself with our guidance by joining or data protection programme and working through the conducting transfer impact assessments module.

How you benefit from a transfer impact assessment?

  • Lawfully transfer personal data from one country to another
  • Ensure that adequate measures and standards exist
  • Know where the biggest impact on personal data will be

When should I do a transfer impact assessment?

Ideally, your organisation should conduct a TIA before transferring personal data from one country to another. You can still do it during or afterwards – better late than never. Sometimes you will have a data flow that has been going on for many years. You can’t just stop it. You should then work as quickly as possible to do the relevant transfer impact assessment. You will do TIAs many times in the future and at different points in time. Doing TIAs is part of protecting personal data and is an ongoing exercise.

Actions you can take

  • Do a transfer impact assessment by asking Michalsons to do one for you.
  • Do a TIA yourself with our guidance by joining a Data Protection Programme and working through the module on conducting transfer impact assessments.
  • Check that you are conducting assessments correctly by asking us to review your process and outcomes.

What do organisations typically assess?

  1. The two organisations involved in the transfer. The controller and processor. Or the data exporter and data importer.
  2. The processing activity that includes the transfer from one country to another. And the personal data involved. You must know your data.
  3. The actual transfer of the data. Is a transfer taking place? How?
  4. The data transfer mechanism, tool or appropriate safeguard the controller relies on to make the transfer.
  5. The destination country – the country to which the controller explores the data. The laws and regulations of the third country.
  6. The safeguards or controls in place.
  7. The level of risk to which the transfer exposes the personal data.

How to conduct a TIA

  1. Discover as much information as possible. This often requires research from various sources. If necessary, request that people send various documents. Where necessary, send various people assessments or questionnaires to answer.
  2. Workshop with or interview various people to gather more information and request further clarification.
  3. Document the findings by drafting and delivering a report.

Some processors (like Atlassian) help their controllers to do a transfer impact assessment.

A transfer impact assessment report

The key result is whether the transfer is lawful or not

We deliver a practical transfer impact assessment report in plain language detailing whether the transfer is lawful or not. This is the conclusion and should be set out at the beginning of the report. The transfer is lawful if the controller adequately protects the personal data it is transferring by implementing sufficient measures.

Of course, it is essential to provide details of the assessment and demonstrate that personal data will be protected. The process and details are important, but from a practical perspective, the key result is whether the transfer is lawful or not. We have developed a transfer impact assessment report template that we use. The report can also outline additional measures or controls that the controller should implement to enhance privacy. For example, obtain prior authorisation from a regulator.

Examples of TIAs that we’ve recently completed for clients in line with the EDPB recommendations

Data transfers out of the European Economic Area to

  • South Africa
  • Tanzania
  • Zimbabwe
  • Zambia
  • Democratic Republic of Congo.

This is not an exhaustive list and is being added to all the time.