In this blog, we are focussing on transfer risk assessments (TRAs), commencing with the background that led to their introduction and then addressing the following questions:
- What is a TRA?
- Who does it apply to?
- Why is it important?
- How do you conduct a TRA?
- What are the main challenges in conducting a TRA?
In July 2020, in its Schrems II judgement, the Court of Justice of the European Union (CJEU) decided that the EU-U.S. Privacy Shield is no longer an adequate instrument for enabling personal data transfers to the U.S.
In the same ruling, the CJEU held that while standard contractual clauses (SCCs) remain valid, there is a need to add supplementary clauses to the existing SCCs.
In addition, the underlying transfer must be assessed on a case-by-case basis to determine whether the personal data will be adequately protected.
In practice, the decision by the CJEU means data exporters using either the SCCs or any other transfer mechanism, must carry out a risk assessment before transferring personal data to any third country not covered by an adequacy decision.
What is a TRA?
A TRA is a risk assessment that enables data exporters to determine if the mechanism they intend to use for an international data transfer (i.e., data transfer to a third country) provides an adequate level of protection in the circumstances of that transfer.
This means the TRA will consider the nature of both the personal data transfer and the destination country.
Who Does it Apply to?
All UK-based data exporters will need to carry out a risk assessment of all ‘restricted’ data transfers.
In published guidance, the UK Information Commissioner’s Office (ICO) defined a transfer as being restricted if:
- The UK GDPR applies to the personal data being transferred
- The data exporter is sending data or making it accessible to a data receiver/importer to whom the UK GDPR does not apply
- The importer is a separate company or individual (including another company in the same corporate group).
The UK GDPR permits restricted transfers if any of the appropriate safeguards outlined in Article 46 are in place.
As a consequence, the UK ICO published in March 2022 a revised set of SCCs in the form of a model international data transfer agreement (IDTA). These approved safeguards can be used for routine data transfers to third countries.
In recognising that the TRA could be a complex exercise for many data exporters, the ICO has recently published a helpful tool to assist with the assessment.
Why is the TRA Important?
The UK GDPR places restrictions on transfers of personal data to third countries. The importance of a TRA is in helping to avoid data protection rights being evaded when data is transferred to a third country.
While the IDTA may bind both parties in a particular transfer arrangement, they do not necessarily cover all risks in third countries, nor do they regulate the conduct of any statutory agencies that may gain access to that personal data.
Since the existing third-country transfer safeguards cannot account for the specifics of all legal regimes in third party countries, the data exporter, in collaboration with the data importer, must carry out a case-by-case assessment of the protections that apply in the destination country.
Ultimately, for UK-based data exporters, the TRA is important because it allows them to determine whether the IDTA on its own provides appropriate safeguards for the restricted transfer or whether extra steps and protections are required.
How Do You Conduct a TRA?
The ICO expects that in conducting the risk assessment, a data exporter will verify “whether for your restricted transfer, taking into account all the circumstances of that restricted transfer, the IDTA provides protection for the data subjects, which is sufficiently similar to the relevant protections they have when their data is in the UK”.
Specifically, the TRA should assess the following 3 areas:
1. The specifics of the restricted transfer, including:
- Type and categories of personal data to be transferred
- Types of entities involved in the transfer
- Sector in which the transfer occurs
- The technological and organisational security the importer has in place to protect the data
- Whether the data will be stored outside the UK or whether there is remote access to data stored within the UK
- Movement of data when under the control of the importer
- Possibility of data being forwarded on by the importer to another entity
- Purpose of the transfer
- Format of data
- Method of transfer.
2. The particular facts about the destination country, including:
- Whether there are partial UK adequacy regulations in relation to that country
- Its human rights record
- Its legal and court system, and how close that it is to the UK legal and court system
- How overseas judgments are recognised and enforced
- Its laws and practices regulating third-party access (including public authority surveillance).
3. The potential impact on the data subjects of the transfer, and any risk of harm to data subjects which may be identified.
It is also important to ensure the level of protection does not decrease over time.
Further considerations for the data importer are whether the level of protection is undermined by any of the following:
- Changes to the processing by the importer
- Changes to the legal framework in the destination country
- Technical developments facilitating the bypassing of security arrangements.
It is worth noting that in carrying out the TRA, it is best to focus only on those parts of the destination country’s legal regime which are relevant to the restricted transfer.
Importantly, the ICO is careful to maintain that the use of its TRA tool is not mandatory. The important thing is to ensure that a risk assessment is done.
What are the Main Challenges in Conducting a TRA?
Unlike the UK, the EU and the United States, many jurisdictions may not necessarily have robust law enforcement regimes and clear national security laws.
Often, such jurisdictions may have deliberately opaque and secret national security laws. URM believes this will pose a significant challenge for many UK data exporters conducting a TRA.
Despite the best efforts of the ICO – by publishing the IDTA and a TRA tool– conducting a TRA will most likely be a burdensome exercise for small and large data exporters alike, with the latter making hundreds, if not thousands, of data transfers to multiple third-country destinations.
URM believes that UK data exporters face 3 principal challenges:
- Most data exporters, particularly the small to medium-sized ones, may lack the internal resource with adequate knowledge of the legal regime in destination countries
- Even where the resource exists, there may be difficulties in picking through often opaque laws and finding ways to ensure data is afforded the required levels of protection
- The need to monitor changes in the destination legal regime would require strong collaboration with the data importer. In practice, this would mean UK data exporters having to rely on the data importer to keep them updated of any changes. Exporters may also have to find ways of monitoring any changes in the way data is handled by the importer.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs ROPAs, privacy notices, data retention schedules and training programmes etc.
The EU GDPR and the UK DPA both require organisations to protect and ensure the privacy of any personal data which they process.
This blog focuses on an aspect of the GDPR which can be particularly challenging for a number of organisations.
We look at the requirement within both the DPA and the GDPR to verify the identity of an individual making a request before acting or releasing information