Transfer Impact Assessment

Transfer Impact Assessments

In July 2020, Schrems II happened. The European Commission’s Privacy Shield Decision was ruled invalid by the EU Court of Justice, making international personal data transfers based on that decision illegal. Furthermore, controllers and processors that transfer personal data based on Standard Contractual Clauses (SCCs) must ensure the data subjects’ protection is of the same level as that of the General Data Protection Regulation (GDPR).

 

In June 2021, the European Data Protection Board (EDPB) adopted a final version of the Recommendations on supplementary measures, assisting controllers and processors that export personal data on how to ensure an equivalent level of protection to the data they transfer.

 

How do you know which measures to apply? In come the Transfer Impact Assessment!

Challenges of TIAs

The practical challenges that TIAs present are similar to those of the Data Protection Impact Assessment:

Getting the right and complete information

It’s not always clear which information to look for when assessing suppliers during a Transfer Impact Assessment.

Receiving the information in time

Getting feedback from both the business and the external stakeholders can happen very slowly which makes the follow-up a real challenge.

Documentation of previous assessments and measures

Organizations are obliged to keep an accurate record of the measures and assessments they have taken. Oftentimes a document management nightmare!

Continuous review and reassessment of your DPIAs

TIAs need to be reviewed continuously as stakeholders and nations’ laws can change over time. It’s extremely challenging to keep track of those developments as one single organization.

So how does the RESPONSUM TIA module help?

1. Identify Transfers

Recognize cross-border transfers, data importers and third countries involved.

Based on that information, RESPONSUM offers advice on whether to perform a TIA. When connected to our Register of Processing Activities module, this identification will happen automatically so you’ll be notified whenever a TIA is necessary or needs to be revised.

2. Guided Assessment

In just 6 clear, predefined steps, RESPONSUM walks you through an entire TIA. That way you can easily follow the right process, remain up-to-date on which information is still required and ultimately ensure your compliance with the GDPR.

The end result? A clear evaluation if the risks related to the transfer of personal data can be accepted.

3. Manage Measures

Once a TIA has been completed, additional supplementary measures might be necessary. Follow-up on those activities to ensure the risks are rightly mitigated and easily stay-up-to-date of their implementation.

Does your organization export personal data to non-EU countries? Discover how Transfer Impact Assessments become a piece of cake! 🍰

We’ll happily jump on a call to answer your questions.