Data transfer impact assessment – iPleaders

This article has been written by Shobhit Kapoor pursuing Diploma in US Technology Law and Paralegal Studies: Structuring, Contracts, Compliance, Disputes and Policy Advocacy and edited by Shashwat Kaushik.

This article has been published by Sneha Mahawar.

The General Data Protection Regulation, being the gold standard for data protection and having placed a variety of restrictions and checks on the processing of personal data, does not prohibit the export of personal data of EU residents and citizens to a country outside the EU for processing, but the regulation definitely puts down a restriction on such a transfer of personal data. This restriction has its own tiered checkpoints since it is a known fact that in a global economy with diverse business needs, it is naïve to think and expect exclusive data-localization and to ban the cross border transfers of data.

Download Now

Any personal data transfer to a “third country” where otherwise such a transfer is restricted by the GDPR is termed a “restricted transfer” and needs to be scrutinised and then performed. This barrier is simply to ensure the personal data shipped to such a non-EU region is protected in the same measure as is intended by GDPR.

The mystery of what could happen to such personal data, whether in transit or at rest, needs to dissolve. And the bottom line is that there is no room for any mystery.

To give an example of the need for personal data transfer to other countries, HR is one of the largest domains that needs to transfer data (sometimes very sensitive data) to other countries for processing. This data export could be because either the parent company of the HR department or any subsidiary of the organisation resides in a country outside the EU and the HR department’s CRM or any of its SaaS system houses. Massive amounts of employee data need to be, at some point of time and for some meaningful purpose, exported to countries where either the parent organisation resides or a subsidiary organisation is based. As stated earlier, the organization’s specific business needs to command such a transfer of data from one geo-location to another, even though this might be invisible to a user of such data i.e., the HR department in layman’s terms. 

Considering the tight control laid down on personal data movement, there has been much uncertainty regarding personal data transfer to third countries (countries outside the EU).

However, this is not to be thought of as an impossible task. That is, the captured or collected personal data can surely be taken to different longitudes and latitudes for the sake of processing to a good extent. For this to be a reality, there is an obvious need for a data-exporting organisation (which could be a data controller or even a data processor) to carefully assess its needs as well as the technical and organisational safeguards that must come into play for a cross border transfer of personal data on a case to case basis to ensure sufficient protection from unwanted and uncontrolled consequences. 

A ‘Transfer Impact Assessment’ (TIA) is a risk assessment performed when personal data from the EU is being thought of to be transferred to certain non-EU countries. As stated earlier, a TIA is conducted to make sure that when personal data of individuals in the EU is transferred outside of the EU, it is protected and safeguarded in the same manner as GDPR lays down.

Questions that come to the forefront while planning such a data transfer include:

  • What is the business justification for sending data to an organisation based in another country?
  • Which country/region is the personal data being sent to?
  • Do these countries/regions offer an adequate level of protection for the personal data being exported to them? If the country set to receive personal data is subject to an adequacy decision, this means personal data can be freely sent to such a country.
  • If such a country/region importing the personal data is not subject to an adequacy decision, then it needs to be seen whether appropriate safeguards such as binding corporate rules (BCR) or commonly used standard contractual clauses (SCC) have been put in place?
  • Does any other condition(s) apply as per the GDPR that would allow/hinder the data-exporting organisation from sending its personal data to those countries/regions?
  • If you determine that you need appropriate safeguards in place, such as SCCs, to govern the transfer of personal data outside of the EU, then it may be necessary to conduct a TIA.

TIA’s will also focus on whether the laws of the importer country would permit the recipient country’s government agencies access to the personal data.

TIA is mentioned in Clause 14 of Standard Contractual Clauses (discussed later in the document).

A TIA may be performed whenever there is a need for performing a “restricted transfer.” 

As per the Schrems II ruling, entities that need to transfer personal data to non-EU and non-UK countries must conduct TIA to verify if the laws of such an importing country would have any impact on the efficiency and efficacy of the Standard Contractual Clauses (SCC). The mere signing of the SCC does not ensure protections, enforceable rights or legal remedies that are even close to those conferred under GDPR.

Any entity, whether a data controller or a data processor, that ships personal data to a region other than EU member states needs to carry out TIA in order to check if the relevant transfer of personal data will be safe or not. This assessment has GDPR as its benchmark as far as the broad requirements are concerned. This is no surprise, as GDPR is still the gold standard for personal data protection. 

Transfers that are made under Article 46 GDPR are relied on only if the data exporter has undertaken TIA, ensuring that the personal data is protected and matches the standards of GDPR.

Therefore, in GDPR terms, any entity, whether it is the data controller or data processor, that needs to transfer data to a sub-entity (or rather, a processor) shall need to perform a detailed TIA.

The European Data Protection Board (EDPB, as it is known) has taken the lead in outlining much of GDPR’s objectives. In pursuance of this, EDPB has made several recommendations related to TIA. It has laid down six steps for TIA that set the tone for a deeper need, which can evolve over a period of time as both technology and the internet advance. 

The six steps are as follows:

  1. Know your transfer- Where is the data being shipped and what is the purpose of it?
  2. Verify your transfer tools- Does the importer country have an adequate decision in its favor or does a SCC or a BCR cover such a relationship?
  3. Local country assessment- Check the national and local laws of the importer country to see if it in any manner has an undesired effect on the protection and safety of the personal data being exported to such a country, whether the data is at rest or in transit.
  4. Identify supplementary measures- Consider measures that raise the protection levels when such a “third country” is the importer. Measures could include pseudonymization, anonymization, etc.
  5. Formalise the supplementary measures- Use enforceable instruments to formalise the measures identified in step 4.
  6. Re-evaluate- This is a constant and periodic exercise to perform as the importer country will undergo developments in legislation that impact the personal data shipped to it. Usually, it is convenient and doable to have a local lawyer assist in this task. 

This is no surprise that there is no best way to conduct a TIA, but the organisations that have walked a longer path in the journey of GDPR compliance have developed their own TIA methodology based on experience, skill and best practises pouring in from limited thought leadership.

Legal experts or lawyers who work in the GDPR space or data protection/privacy laws are a boon in these times and also for aiding TIAs.

The major challenge that these law experts can work on is pertaining to the local laws of the recipient country. Knowledge of these laws, being so vast and spread out, is not easily available on the internet and the sources of information may lack authenticity. It takes a lawyer to even interpret such laws to join the dots and come to a decision. 

On the other hand, the organization’s information security team is technology and tool centric but lacks a legal perspective while taking action or even considering any action. With due respect to them, they are doing a terrific job at expanding technology and digital footprints beyond imagination. However, they do need guidance as to what data is to be seen in what manner and how to categorise the data; not every piece of data is to receive the same kind of protection as personal data. Additionally, the much-needed information to be sought from the likely importer of data is a result of the collaboration of the information security team and legal team.

To summarise, we need the collaboration of lawyers as well as information security teams or data protection teams in order to shape an effective TIA. The EU has clarity on which countries would be adequate and which would not. The changing business landscape and, hence, the need for cross-border processing of personal data is a reality no one can deny. Without lowering the guard and contravening GDPR, processes will keep evolving with time. TIA, too, is one of them.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

Leave a Reply

Your email address will not be published. Required fields are marked *