You need a Transfer Impact Assessment (TIA) template and guidance to get them right. The objective is to check that the transfer is lawful because the controller adequately protects the personal data it is transferring by putting sufficient measures in place. We have studied International trends and best practices regarding impact assessments and have conducted many for our clients. Essentially, you should do a TIA to assess what the impact will be on personal data (or privacy) if you transfer it to another country.
The data exporter must check that adequate protection is in place when they export personal data to a data importer in another country.
Following Schrems II, organisations around the world should conduct a transfer impact assessment when transferring personal data across a border to another country. For example, from the EU to the United States. Or a transfer from the EU or UK to an African country. Controllers use a TIA to assess the data transfer mechanism, tool or appropriate safeguard they rely on in the GDPR Article 46 or POPIA section 72.
A TIA typically considers the sufficiency of foreign protections on a case-by-case basis when a controller transfers data using a data transfer mechanism. It is an assessment of the protections of both the country to which the personal data will be exported and the data importer. Each assessment is also different based on the data processing activity involved and the personal data the data exporter is exporting.
In this article, we are discussing one kind of impact assessment (being a transfer impact assessment). You also get an organisational impact assessment and a regulatory impact assessment. You can read more about legal assessments. It is important to know which one you are referring to. You can also do a transfer impact assessment yourself with our guidance by joining or data protection programme and working through the conducting transfer impact assessments module.
How you benefit from a transfer impact assessment?
- Lawfully transfer personal data from one country to another
- Ensure that adequate measures and standards exist
- Know where the biggest impact on personal data will be
When should I do a transfer impact assessment?
Ideally, your organisation should conduct a TIA before transferring personal data from one country to another. You can still do it during or afterwards – better late than never. Sometimes you will have a data flow that has been going on for many years. You can’t just stop it. You should then work as quickly as possible to do the relevant transfer impact assessment. You will do TIAs many times in the future and at different points in time. Doing TIAs is part of protecting personal data and is an ongoing exercise.
Actions you can take
- Do a transfer impact assessment by asking Michalsons to do one for you.
- Do a TIA yourself with our guidance by joining a Data Protection Programme and working through the conducting transfer impact assessments module.
- Check that you are conducting assessments correctly by asking us to review your process and outcomes.
What do organisations typically assess?
- The two organisations involved in the transfer. The controller and processor. Or the data exporter and data importer.
- The processing activity that includes the transfer from one country to another. And the personal data involved. You must know your data.
- The actual transfer of the data. Is a transfer taking place? How?
- The data transfer mechanism, tool or appropriate safeguard the controller relies on to make the transfer.
- The destination country – the country to which the controller explores the data. The laws and regulations of the third country.
- The safeguards or controls in place.
- The level of risk to which the transfer exposes the personal data.
How to conduct a TIA
- Discover as much information as possible. This often requires research from various sources. If necessary, request people send various documents. Where necessary, send various people assessments or questionnaires to answer.
- Workshop with or interview various people to discover more information and ask for further clarification.
- Document the findings by drafting and delivering a report.
Some processors (like Atlassian) help their controllers to do a transfer impact assessment.
A transfer impact assessment report
The key result is whether the transfer is lawful or not
We deliver a practical transfer impact assessment report in plain language detailing whether the transfer is lawful or not. This is the conclusion and should be set out at the beginning of the report. The transfer is lawful if the controller adequately protects the personal data it is transferring by putting sufficient measures in place.
Of course, it is important to provide the details of the assessment and prove that the personal data will be protected. The process and details are important but from a practical perspective, the key result is whether the transfer is lawful or not. We have developed a transfer impact assessment report template that we use. The report can also set out additional measures or controls that the controller should put in place to improve privacy. For example, obtain prior authorisation from a regulator.