Transfer Risk Assessments (“TRA”) and Transfer Impact Assessments (“TIA”) are essentially the same thing. The Transfer Risk Assessment is simply the UK equivalent of the Transfer Impact Assessment, which was originally created under the European Data Protection Regime, following the judgment in Schrems (more can be found on that here). So, if you hear both sets of terminology, they essentially mean the same thing in that they both have the same objective, even if the scope of coverage is slightly different. The TRA is to be used for UK data exporters and the TIA, for EEA data exporters.
So What is a Transfer Risk Assessment?
A risk assessment involves taking into account the “risks of varying likelihood and severity for the rights and freedoms of natural persons” (Article 24 UK GDPR). In a nutshell, it is taking a detailed look at the possible associated risks of transferring personal data to a third party, outside the UK. The aim of which is to identity where the relevant protections for people under the UK data protection regime might be undermined. If you identify such risks then supplementary measures must be put in place to help mitigate them.
When do we undertake a Transfer Risk Assessment?
If you are undertaking a transfer of personal data outside the UK, this is known as a restricted transfer. Article 46 of the UK GDPR talks about what mechanisms can be implemented in these circumstances. If the third party is located in a country with an adequacy finding, then no further measures or steps are necessary. Other mechanisms listed under Article 46 include:
- UK Binding Corporate Rules
- Standard data Protection clauses
- International Data Transfer Agreement (IDTA)
- EU Standard Contractual Clauses (EU SCCs) with UK Addendum
The Schrems II judgment confirmed the role of risk assessments in the rules on restricted transfers, stating that before you can rely on an article 46 transfer mechanism, you must carry out a risk assessment. This is therefore a requirement under UK data protection laws.
For clarity, you do not need to undertake a TRA if the transfer is to a country with an adequacy finding or if the transfer is covered by an exception (not covered for the purpose of this article).
How do we undertake a TRA?
The Information Commissioners Office (“ICO”) outlines two acceptable approaches for undertaking a TRA. Option 1 is using the ICO’s own recommended TRA Tool and Option 2 is using the approach set out by the European Data Protection Board (“EDPB”). Both approaches essentially follow a questionnaire type format, allowing businesses to ask the appropriate questions regarding their transfers of personal data and allocating a level of risk to each action. The ICO tool is helpful in that it is in the form of a table that can be completed and retained for your own records and to therefore demonstrate compliance should the need ever arise. Some of the questions posed in the TRA tool are:
- What are the specific circumstances of the restricted transfer?
- What is the level of risk to people in the personal information being transferred?
- What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organisation?
In line with question 3, above, the extent to which the TRA is undertaken must be reasonable and proportionate, considering the amount of data being transferred, the nature of that data and the size of the business undertaking the TRA and the resources it has available. As such, larger businesses with greater resources and transferring larger amounts of data will likely have to conduct a much more thorough TRA than smaller businesses with lower risk transfers.
What do we do after completion of the TRA?
The aim after completion of the Transfer Risk Assessment is to have a document that clearly outlines where risks have been identified, whether, low, medium, or high and then the steps to be taken to mitigate those risks. If the conclusion is that the protections in place are ‘sufficiently similar’ to the UK, then you can proceed with the transfer. If not, then the ICO TRA Tool details examples of extra steps and protections that can then be put in place to help mitigate the risks identified.
In order to make those extra measures legally binding on the party receiving the personal data, amendments to the transfer mechanism being used will be required.
For example, if the transfer mechanism being used is the IDTA, the document contains a section to add in ‘Extra Protection Clauses’. In here, the additional measures you have identified as being required following the TRA, would be added. The IDTA breaks this down into 3 sections including:
- Extra technical security protections
- Extra organisational protections
- Extra contractual protections
The appendix to the ICO TRA Tool provides example clauses to add in to the sections detailed above.
If the outcome of the TRA is that the risk of transfer is too high or too complex, then the transfer should not take place unless an exemption can be relied upon. It may be that a further, more detailed risk assessment is required in these circumstances.
Conclusion & future considerations
It is a legal requirement that a Transfer Risk Assessment is undertaken by UK businesses transferring personal data to a country without an adequacy finding, where no other exemptions can be relied upon. A TRA should form part of a business’s step by step process when making data transfers, the outcome of which, must be acted upon, accordingly.
For clarity, those businesses operating in or providing services to the EU will need to consider using the EU’s TIA. It is in fact, a requirement under clause 14 of the SCCs that such an assessment be completed before a data transfer can be undertaken.
To ensure that the level of data protection does not decrease over time, businesses should take care to regularly review the safeguards in place and ensure that they are adapted accordingly.
As a future consideration, there is suggestion amongst the current discussions regarding a possible adequacy finding for the US, (by establishing a ‘data bridge’) that even where there is only a partial finding of adequacy, that partial finding would negate the need for a TRA. That decision to us, seems to undermine the whole premise of data protection but more clarity and guidance is needed on that point, so one to watch for now!
For any further guidance or questions in relation to the above article, please don’t hesitate to contact the Travlaw Team.
tel. – 01132 258 0033
email – email@example.com
This article was originally published on: 13 July 2023