Adhering Abroad: Transfer Impact Assessments

Sameer Ahirrao -

What is a transfer impact assessment (TIA)?

A TIA is a risk assessment conducted by an organization to determine if transferred data will be protected through standard contract clauses (SCCs) and if additional protections are necessary. SCCs are preapproved contractual clauses by the European Commission that ensure appropriate data protection when data is transferred to non-EU countries. EU data protection standards establish uniform practices that apply no matter the differences between other nations’ privacy regimes. This consistency and standard provide EU citizens sufficient privacy and GDPR compliance for organizations. In the wake of Schrems II, recommendations by the European Data Protection Board and Clause 14 of the Standard Contractual Clauses, organizations have started conducting TIAs.

Who do TIAs apply to?

Any organization processing personal data of a EU citizen is subject to the GDPR. TIAs apply to organizations performing data transfers in countries whose privacy laws do not meet the adequate level of data protection for the EU. For example, India, the United States, and Singapore all need to conduct TIAs, while New Zealand, Argentina, and South Korea do not.

When do you need a TIA?

Organizations need to conduct a TIA when transferring data to a non-EU country that is not deemed adequate.

What are the important factors to include in your TIA?

· Laws and practices of the destination country

o Required disclosures of data to public authorities

o Authorization of data to public authorities

o Relevant laws and practices applied to the circumstances of the transfer, limitations, and safeguards.

· The specific circumstances of the transfer, including:

o The length of the processing chain.

o The number of actors involved, and the transmission channels used.

o Intended onward transfers.

o The type of recipient.

o The purpose of processing.

o The categories and format of the transferred personal data.

o The economic sector in which the transfer occurs.

o The storage location of the data transferred.

· Contractual, technical, or organizational supplemental safeguards.

To conduct a TIA, you need to know your data. In-depth TIA templates can be accessed here through iapp.

About Ardent Privacy

Ardent Privacy's TurtleShield is an AI-powered enterprise software platform that helps businesses discover, identify, inventory, map, minimize, and securely delete personal data. In addition to getting to know your data, TurtleShield assists companies in acting on their data and implementing a privacy by design approach. Utilizing TurtleShield can provide the information needed to conduct a TIA. Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach.

For more information visit https://ardentprivacy.ai/ and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.