Data Transfer Risk Assessment
In this blog, we are focussing on transfer risk assessments (TRAs) and, having provided some of the backgrounds that has led to their introduction, we will aim to address the following questions:
- What is a TRA?
- Who does it apply to?
- Why is it important?
- How do you conduct a TRA?
- What are the main challenges in conducting a TRA?
In July 2020, in its Schrems II judgement, the Court of Justice of the European Union (CJEU) decided that the EU-U.S. Privacy Shield is no longer an adequate instrument for enabling personal data transfers to the U.S.
In the same ruling, the CJEU held that while standard contractual clauses (SCCs) remain valid, there is a need to add supplementary clauses to the existing SCCs.
In addition, the underlying transfer must be assessed on a case-by-case basis to determine whether the personal data will be adequately protected.
In practice, the decision by the CJEU means data exporters using either the SCCs or any other transfer mechanism, must carry out a risk assessment before transferring personal data to any third country not covered by an adequacy decision.
What is a TRA?
A TRA is a risk assessment that enables data exporters to determine if the mechanism they intend to use for an international data transfer (i.e. data transfer to a third country) provides an adequate level of protection in the circumstances of that transfer.
This means the TRA will consider the nature of both the personal data transfer and the destination country.
Who Does it Apply to?
All UK-based data exporters will need to carry out a risk assessment of all ‘restricted’ data transfers.
In a recently published guidance, the UK Information Commissioner’s Office (ICO) defined a transfer as being restricted if:
- The UK GDPR applies to the personal data being transferred
- The data exporter is sending data or making it accessible to a data receiver/importer to whom the UK GDPR does not apply
- The importer is a separate company or individual (including another company in the same corporate group).
The UK GDPR permits restricted transfers if any of the appropriate safeguards outlined in Article 46 are in place.
As a consequence, the UK ICO published a newly approved set of SCCs and a model international data transfer agreement (IDTA). These approved safeguards can be used for routine data transfers to third countries.
In recognising that the TRA could be a complex exercise for many data exporters, the ICO has recently published a helpful tool to assist with the assessment.
Why is the TRA Important?
The UK GDPR places restrictions on transfers of personal data to third countries. The importance of a TRA is in helping to avoid data protection rights being evaded when data is transferred to a third country.
While current SCCs and the IDTA may bind both parties in a particular transfer arrangement, they do not necessarily cover all risks in third countries, nor do they regulate the conduct of any statutory agencies that may gain access to that personal data.
Since the existing third-country transfer safeguards cannot account for the specifics of all legal regimes in third party countries, the data exporter, in collaboration with the data importer, must carry out a case-by-case assessment of the protections that apply in the destination country.
Ultimately, for UK-based data exporters, the TRA is important because it allows them to determine whether the IDTA on its own provides appropriate safeguards for the restricted transfer or whether extra steps and protections are required.
How Do You Conduct a TRA?
The ICO expects that in conducting the risk assessment, a data exporter will verify ” whether for your restricted transfer, taking into account all the circumstances of that restricted transfer, the IDTA provides protection for the data subjects, which is sufficiently similar to the relevant protections they have when their data is in the UK”.
Specifically, the TRA should assess the following 3 areas:
1. The specifics of the restricted transfer, including:
- Type and categories of personal data to be transferred
- Types of entities involved in the transfer
- Sector in which the transfer occurs
- The technological and organisational security the importer has in place to protect the data
- Whether the data will be stored outside the UK or whether there is remote access to data stored within the UK
- Movement of data when under the control of the importer
- Possibility of data being forwarded on by the importer to another entity
- Purpose of the transfer
- Format of data
- Method of transfer
2. The particular facts about the destination country, including:
- Whether there are partial UK adequacy regulations in relation to that country
- Its human rights record
- Its legal and court system, and how close that it is to the UK legal and court system
- How overseas judgments are recognised and enforced
- Its laws and practices regulating third-party access (including public authority surveillance).
3. The potential impact on the data subjects of the transfer, and any risk of harm to data subjects which may be identified.
It is also important to ensure the level of protection does not decrease over time.
Further considerations for the data importer are whether the level of protection is undermined by any of the following:
- Changes to the processing by the importer
- Changes to the legal framework in the destination country
- Technical developments facilitating the bypassing of security arrangements.
It is worth noting that in carrying out the TRA, it is best to focus only on those parts of the destination country’s legal regime which are relevant to the restricted transfer.
Importantly, the ICO is careful to maintain that the use of its TRA tool is not mandatory. The important thing is to ensure that a risk assessment is done.
What are the Main Challenges in Conducting a TRA?
Unlike the UK, the EU and the United States, many jurisdictions may not necessarily have robust law enforcement regimes and clear national security laws.
Often, such jurisdictions may have deliberately opaque and secret national security laws. URM believes this will pose a significant challenge for many UK data exporters conducting a TRA.
Despite the best efforts of the ICO – by publishing the IDTA, a TRA tool and updated SCCs – conducting a TRA will most likely be a burdensome exercise for small and large data exporters alike, with the latter making hundreds, if not thousands, of data transfers to multiple third-country destinations.
URM believes that UK data exporters face 3 principal challenges:
- Most data exporters, particularly the small to medium-sized ones, may lack the internal resource with adequate knowledge of the legal regime in destination countries
- Even where the resource exists, there may be difficulties in picking through often opaque laws and finding ways to ensure data is afforded the required levels of protection
- The need to monitor changes in the destination legal regime would require strong collaboration with the data importer. In practice, this would mean UK data exporters having to rely on the data importer to keep them updated of any changes. Exporters may also have to find ways of monitoring any changes in the way data is handled by the importer.
How URM Can Help
In this blog, we have provided a high-level overview of what UK data exporters need to know about transfer risk assessments.
We have also outlined what we see as the key challenges data exporters are likely to face when conducting the assessments.
If you think this new requirement may have an impact on your organisation, URM’s team of data protection consultants can provide pragmatic, expert and tailored advice.
More about the GDPR and DP
GDPR and DP Training
Our office is open 08:00 – 17:30 Monday to Friday.