Data Transfer Impact Assessments: Ensuring international transfers of data are legally compliant

Following on from our article on The New Standard Contractual Clauses, below we look at Data Transfer Impact Assessment considerations.

What is a Data Transfer Impact Assessment (DTIA) and when is it needed?

Simply put, the DTIA is an assessment process that needs to be carried out by those wanting to export data outside the European Economic Area (EEA) to what are known as third countries (see further below).

The need for a DTIA was confirmed with the recent release of the new EU Standard Contractual Clauses (the New EU SCCs) and must be carried out when exporting data from the EEA to countries that have not been recognised with an ‘adequacy decision’ by the European Commission (EC).

An ‘adequacy decision’ is essentially a recognition by the EC that the country in question has an adequate level of data protection laws to ensure that a data subject gains a similar level of protection to what s/he would receive under EU data protection laws. Where a country has not been so recognised, it is known as a ‘third country’ to which additional restrictions apply before data can be transferred there (see below).

The responsibility lies with the data exporter to assess the laws of the third country; they must also determine who the local data protection authority is in the third country, if any, and whether there are any form of laws, regulations and practices committed to data protection in place there. Not an easy task.

Key steps for exporting data

The European Data Protection Board (EDPB) has recommended a six-step process that should be followed when exporting data from the EEA to a country outside it:

• Knowing your transfers – you need to identify the data you want to transfer, and this should be limited to data that is strictly necessary for the purpose. You should also check whether the importing country has received an adequacy decision (see above), in which case a DTIA will not be required.
• Identify your transfer tool – Article 46 of the GDPR provides various transfer tools that can be used when exporting data to a third country. The most commonly used tool is likely to be the New EU SCCs. In some cases, where there is no adequacy decision in respect of the third country, you may be able to rely on an Article 49 derogation. Where a derogation applies (a form of exemption), you will not need to carry on with the DTIA. However, in practice, the applicability of a derogation is very limited (for example, it can only be used for one-off transfers and not for those done on a regular basis).
• Assess the laws and surveillance practices in the third country – when carrying out an assessment of the data protection laws in a third country, you may find your selected transfer tool (e.g. standard contractual clauses) on its own does not provide an adequate level of protection for the data, as it is also necessary to look at local surveillance laws to ensure they do not override such protection. The EDPB in its recommendations about surveillance laws has issued a document listing what is known as the four ‘European Essential Guarantees’ which must be satisfied in relation to access of data in third countries by public authorities for surveillance purposes.
•  Identify any supplementary measures – where your chosen transfer tool does not afford an essentially equivalent level of protection, e.g. because the Essential Guarantees in relation to surveillance cannot be met, you should consider appropriate ‘supplementary measures’ to remedy this. The supplementary measures can be contractual, technical or organisational in nature; technical examples include encryption and pseudonymisation.
•  Implement the supplementary measures – once you have identified the appropriate supplementary measures, you should take formal steps to implement these, including seeking authorisation from local data protection authority where the supplemental measures contradict the New EU SCCs. Upon implementation of your transfer tool and any appropriate supplementary measures (if required), you can then proceed to transfer the data.
•  Review and evaluation – you must monitor and evaluate on a regular basis for any changes in or developments to the laws or regulations and practices in the third country that may have an impact on the level of data protection, based on your initial assessment of them.

As the data exporter is ultimately accountable to the data subject and supervisory authority, all assessments should be properly documented.

Given the increased level of burden on the exporter, it is important to have in place a proper DTIA. We have created various documents and guidance that could assist you with completing your DTIA. For more information, please get in touch with our commercial team.

Where does that leave the UK?

The above rules relate to transfers from the EEA only to third countries outside the EEA.  The UK has also recently been recognised as providing an adequate level of data protection by the European Commission and accordingly, data can continue to flow as it did previously between the EEA and the UK without issue.

The position on the transfer of data from the UK to third countries (i.e. those without an adequacy decision by the UK ICO) is slightly different. While the UK ICO has adopted the old EU Standard Contractual Clauses (UK SCCs) with some amendments, there is presently no mandatory requirement to carry out a separate DTIA.

The UK ICO is however in the process of creating its own process to govern international transfers and has recently launched its consultation on a new International Data Transfer Agreement (IDTA) that is intended to replace the UK SCCs.

Watch this space as we will be updating on the developments around international transfers from the UK.