In this blog, Pauline Brace, Senior Data Protection and Information Security Consultant at URM, draws upon her extensive experience as a Data Protection (DP) Consultant to share advice and guidance on conducting data transfer impact assessments (DTIAs). The blog is based on the transcript of a webinar which was delivered at the end of 2023 by Pauline Brace and Lisa Dargan, Director at URM. In the webinar, Pauline and Lisa discussed the circumstances under which you would need to carry out a DTIA, how to comply with the General Data Protection Regulation (GDPR), and the failings we most frequently see when helping organisations conduct DTIAs.
What is data transfer under the GDPR?
Data transfers occur when your organisation enables personal data to be accessed or transferred to a ‘third country’, which is any recipient country that does not have legislation equivalent to the GDPR to protect the rights of individuals. Before transferring the data, you would need to perform a DTIA, also known in the UK as a transfer risk assessment (TRA).
When do you need to do a DTIA?
Typically, you would initially consider data transfer requirements when you do a data privacy impact assessment (DPIA) before undertaking new processing activities or when engaging new third party services. If you identify that personal data will be transferred, processed or accessed in a third country, you will need to do a DTIA before the transfer takes place, particularly when special category data is involved. DTIAs are a mandatory requirement of the GDPR and should be conducted before any data transfer occurs.
Why is a DTIA needed?
The goal of the DTIA is to ensure that the protection of data subjects’ rights in the recipient country is ‘sufficiently similar’ to that which is provided under the GDPR, and there are some key concerns around transferring data to some third countries which make them necessary. While you may have commercial arrangements in place with an organisation that is contractually bound to maintain data protection, the destination country it’s in may not be stable enough or have legislation in place which would provide your data subjects with enforceable rights to judicial remedy or compensation in the event of a breach of their rights. You also need to ensure that the receiving entity, also known as data importers, will protect the personal data as well as the home controller does.
Do you still have to do a DTIA when transferring data to a country with an adequacy decision?
It is best practice to do a quick DTIA anyway to check what data is being transferred, if the transfer is necessary, how the data will be secured during transmission and when stored and whether all compliance requirements are met by the data importer. However, the legislation states that if a country is perceived by the EU or UK as providing equivalent legal protection of data subjects’ rights, a DTIA is not necessary.
When can ‘binding corporate rules’ be used to legitimise a data transfer under the GDPR?
Some organisations, particularly large global groups, have invested in a set of measures known as ‘binding corporate rules’ which can be relied upon to legitimise data transfer to a subsidiary in a third country. In order to qualify as binding corporate rules, the measures must be evidenced, audited and approved by the local supervisory authority. These rules are expensive to implement and they represent a huge commitment, so usually only larger organisations will establish them.
Are there any other measures which mean you don’t have to conduct a DTIA?
The legislation provides some relief from having to perform a DTIA under certain circumstances. You may be able to rely on one of the additional safeguards (transfer derogations) to legitimise your transfer. One of these derogations allows you to rely on your data subject(s) giving informed consent for you to transfer their data to a third country, providing they understand that their rights may not be protected, however the effectiveness of this option is limited and should only be considered for one-off, low volume, occasional transfers. This is because in order to be valid, consent must be capable of being withdrawn, and if your data subjects withdraw their consent, you may not be able to retrieve or completely remove their data from the third country and large volume transfers quickly becomes unmanageable.
If the transfer is necessary for the performance of a contract or service your data subjects have asked you to provide for them, or if it is necessary for reasons of substantial public interest, you can rely on these derogation grounds for transferring the data. You can also transfer data for the vital interests of an individual if that individual is incapable of giving their consent.
Remember that your documented DPIA and DTIA are valuable tools to provide assurance that your contracts with third party data processors enable you to maintain compliance with your data controller obligations and provide you with evidence of decisions you made regarding the transfer.
If you can’t rely on a derogation, which must be carefully considered and applied in each case, you may be able to justify the transfer if it concerns a limited number of data subjects, is a non-repetitive (one-off) transfer, and you have compelling, legitimate reasons for doing it. Transferring personal data is an aspect of processing so you must make sure it is aligned with an appropriate lawful basis and necessary.
Is there any overlap between DTIAs and DPIAs?
Many of the early stages of a DTIA will likely have already been covered in your Data Privacy Impact Assessment (DPIA) and you may be able to consolidate them into a single document, but it’s important to keep in mind that they are separate requirements and should be treated as such.
How do you conduct a DTIA?
First, you will need to map the flow and destination of the personal data (including data importers, exporters and onward transfers to sub-processors in the supply chain), confirm what personal data you will be transferring and justify the necessity for the transfer. After this, you will need to determine which transfer methods will be used to transfer the data, such as an application to application or online transfer, a bulk data exchange, or email data extraction, and whether it is a continual, occasional or one-off transfer. You will then need to perform a security risk assessment and establish the technical and organisational measures you and the data importer will need to have in place.
If you cannot identify or rely on a recognised safeguard or derogation, you, as the data controller must perform your own third country risk assessment. This can be quite daunting and, in our experience, is the stage organisations find most uncomfortable and most frequently struggle with. However, they are mandatory if you don’t have any safeguards or derogations to rely on. If the recipient country is known to be aggressive or unstable, you will need to consider what laws they have which are equivalent to our rights in the UK and EU, and whether there is any risk of government surveillance, interference, or misuse. The latter is often incredibly tricky to navigate as you can only rely on the information available to you, but there are a lot of sources that you can use to research the extent to which a particular government is surveilling or interfering with data. We also always advise that you speak to the data importer and raise any concerns you have e.g., have they ever received a government court order to hand over UK/EU data?
Once you have identified the third country risks, you will need to establish if and how they can be mitigated. For example, your organisation may be able to encrypt the data and manage the encryption keys, so the data receiver stores but cannot open the data you have transferred. If you can’t reach a decision you’re comfortable with here, you can reach out for guidance from your local supervisory authority, which is the Information Commissioner’s Office (ICO) if you’re based in the UK. However, if you reach this stage, you should prepare for the possibility that the ICO may tell you to not transfer the data, which is why it’s so important to perform DTIAs (and DPIAs) before the transfer is made. Finally, you should perform the balancing test, which is to consider if the transfer is proportionate, reasonable, and aligned with the protection of the data subjects’ rights as well as your organisation’s needs.
Is there a framework you can follow when conducting a DTIA?
There are templates available that you can follow to help you conduct your DTIA, and we at URM have developed a very effective template which we frequently rely on. The templates that are available from the supervisory authorities are relatively straightforward once you understand what you’re doing but can be quite intimidating and difficult if you’re not already familiar with DTIAs.
What are the most common failings and mistakes you see organisations make with DTIAs?
Avoidance of the DTIA due to complexity, fear, or belief among senior management that they aren’t necessary represents one of the failings we most frequently see organisations in respect of DTIAs. Ogranisations sometimes suffer from a lack of recorded decisions in their DTIAs, as well as a sense of complacency stemming from the belief that the DTIA is someone else’s problem, leading to overreliance on suppliers and service providers without appropriate contractual guarantees. The use of retrospective DTIAs can also be an issue. It’s important to remember that DTIAs must be carried out before the data is transferred, and the compliance of legacy transfers still needs to be evidenced, even if your organisation has been conducting them for a long time.
Is participation in the EU to US Data Privacy Framework sufficient to legitimise a data transfer to the US?
At the time of writing this blog, the Data Privacy Framework is still very immature, so it is worth questioning your data importer if it says it has signed up to the scheme. In the future, we should be able to rely on this framework for transferring data between the US and EU, but it is not widely adopted currently, and the recipient organisation has to do a lot of work to certify. Under the transfer requirements, receiving US organisations must be certified by the appropriate bodies in the US, which will verify that they are telling the truth about the processing they do and the safeguards and measures they apply. As such, when you do your supplier due diligence you will need to check that the receiving entity has undergone this certification process.
Even if the US receiving entity is certified, a controller would still be required to negotiate a binding contract as the Framework only covers the transfer itself and none of the other aspects of UK and EU DP legislation, which must be enforceable.
How URM Can Help
With 17 years of experience in helping organisations to comply with DP legislation such as the DPA and GDPR, URM is well placed to help you achieve and maintain full GDPR compliance, including assistance with DTIAs. Our GDPR consultants are adept at supporting organisations to prepare DTIAs and embedding them into working practice. We also offer a half-day training course, led by a practicing GDPR consultant, which provides practical guidance on every aspect of DTIAs, including how to conduct them.
If you need help with other aspects of complying to DP legislation, URM can offer a range of GDPR consultancy services, extending well beyond DTIAs. We offer a virtual DPO service, providing you with access to a team of highly experienced and qualified DP practitioners, each with their own specialist area of GDPR consultancy. We can also conduct gap analysis of your organisation’s current DP practices to identify gaps in your current levels of compliance, supporting your development and implementation of a prioritised remediation plan. Our consultants can help your organisation develop a record of processing activities (ROPA) which will identify any high-risk data processing, and how these risks can be mitigated.
If your organisation receives a data subject access request (DSAR), you may be unsure how to complete it, determine whether the DSAR request is valid or not, and verify the identity of the data subject. URM offers a 1 day ‘How to Manage DSARs’ training course which will cover all of these areas, allowing you to return to your workplace with confidence in your ability to deal with these requests. If you would like further support and assurance that you are responding to DSARs in full compliance with the legislation, URM also offers a GDPR DSAR redaction service, where our consultants are highly experienced in deciding on which elements of a document need to be redacted and where exemptions can be applied.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
The EU GDPR and the UK DPA both require organisations to protect and ensure the privacy of any personal data which they process.
In this blog, we will outline a step-by-step procedure on how you can create a ROPA.
On 16 July 2020, the CJEU issued its judgement on the adequacy of both the Privacy Shield and standard contract clauses (SCCs).