Data Transfer Risk Assessment

|
|
PUBLISHED on
25 Jul
2022

In this blog, we are focussing on transfer risk assessments (TRAs), commencing with the background that led to their introduction and then addressing the following questions:

  • What is a TRA?
  • Who does it apply to?
  • Why is it important?
  • How do you conduct a TRA?
  • What are the main challenges in conducting a TRA?

Background

In July 2020, in its Schrems II judgement, the Court of Justice of the European Union (CJEU) decided that the EU-U.S. Privacy Shield is no longer an adequate instrument for enabling personal data transfers to the U.S.

In the same ruling, the CJEU held that while standard contractual clauses (SCCs) remain valid, there is a need to add supplementary clauses to the existing SCCs.

In addition, the underlying transfer must be assessed on a case-by-case basis to determine whether the personal data will be adequately protected.

In practice, the decision by the CJEU means data exporters using either the SCCs or any other transfer mechanism, must carry out a risk assessment before transferring personal data to any third country not covered by an adequacy decision.

What is a TRA?

A TRA is a risk assessment that enables data exporters to determine if the mechanism they intend to use for an international data transfer (i.e., data transfer to a third country) provides an adequate level of protection in the circumstances of that transfer.

This means the TRA will consider the nature of both the personal data transfer and the destination country.

Who Does it Apply to?

All UK-based data exporters will need to carry out a risk assessment of all ‘restricted’ data transfers.

In published guidance, the UK Information Commissioner’s Office (ICO) defined a transfer as being restricted if:

  • The UK GDPR applies to the personal data being transferred
  • The data exporter is sending data or making it accessible to a data receiver/importer to whom the UK GDPR does not apply
  • The importer is a separate company or individual (including another company in the same corporate group).

The UK GDPR permits restricted transfers if any of the appropriate safeguards outlined in Article 46 are in place.

As a consequence, the UK ICO published in March 2022 a revised set of SCCs in the form of a model international data transfer agreement (IDTA).  These approved safeguards can be used for routine data transfers to third countries.

In recognising that the TRA could be a complex exercise for many data exporters, the ICO has recently published a helpful tool to assist with the assessment.

Why is the TRA Important?

The UK GDPR places restrictions on transfers of personal data to third countries.  The importance of a TRA is in helping to avoid data protection rights being evaded when data is transferred to a third country.

While the IDTA may bind both parties in a particular transfer arrangement, they do not necessarily cover all risks in third countries, nor do they regulate the conduct of any statutory agencies that may gain access to that personal data.

Since the existing third-country transfer safeguards cannot account for the specifics of all legal regimes in third party countries, the data exporter, in collaboration with the data importer, must carry out a case-by-case assessment of the protections that apply in the destination country.

Ultimately, for UK-based data exporters, the TRA is important because it allows them to determine whether the IDTA on its own provides appropriate safeguards for the restricted transfer or whether extra steps and protections are required.

How Do You Conduct a TRA?

The ICO expects that in conducting the risk assessment, a data exporter will verify “whether for your restricted transfer, taking into account all the circumstances of that restricted transfer, the IDTA provides protection for the data subjects, which is sufficiently similar to the relevant protections they have when their data is in the UK”.

Specifically, the TRA should assess the following 3 areas:

1. The specifics of the restricted transfer, including:

  • Type and categories of personal data to be transferred
  • Types of entities involved in the transfer
  • Sector in which the transfer occurs
  • The technological and organisational security the importer has in place to protect the data
  • Whether the data will be stored outside the UK or whether there is remote access to data stored within the UK
  • Movement of data when under the control of the importer
  • Possibility of data being forwarded on by the importer to another entity
  • Purpose of the transfer
  • Format of data
  • Method of transfer.

2. The particular facts about the destination country, including:

  • Whether there are partial UK adequacy regulations in relation to that country
  • Its human rights record
  • Its legal and court system, and how close that it is to the UK legal and court system
  • How overseas judgments are recognised and enforced
  • Its laws and practices regulating third-party access (including public authority surveillance).

3. The potential impact on the data subjects of the transfer, and any risk of harm to data subjects which may be identified.

It is also important to ensure the level of protection does not decrease over time.

Further considerations for the data importer are whether the level of protection is undermined by any of the following:

  • Changes to the processing by the importer
  • Changes to the legal framework in the destination country
  • Technical developments facilitating the bypassing of security arrangements.

It is worth noting that in carrying out the TRA, it is best to focus only on those parts of the destination country’s legal regime which are relevant to the restricted transfer.

Importantly, the ICO is careful to maintain that the use of its TRA tool is not mandatory. The important thing is to ensure that a risk assessment is done.

What are the Main Challenges in Conducting a TRA?

Unlike the UK, the EU and the United States, many jurisdictions may not necessarily have robust law enforcement regimes and clear national security laws.

Often, such jurisdictions may have deliberately opaque and secret national security laws. URM believes this will pose a significant challenge for many UK data exporters conducting a TRA.

Despite the best efforts of the ICO – by publishing the IDTA and a TRA tool– conducting a TRA will most likely be a burdensome exercise for small and large data exporters alike, with the latter making hundreds, if not thousands, of data transfers to multiple third-country destinations.

URM believes that UK data exporters face 3 principal challenges:

  • Most data exporters, particularly the small to medium-sized ones, may lack the internal resource with adequate knowledge of the legal regime in destination countries
  • Even where the resource exists, there may be difficulties in picking through often opaque laws and finding ways to ensure data is afforded the required levels of protection
  • The need to monitor changes in the destination legal regime would require strong collaboration with the data importer. In practice, this would mean UK data exporters having to rely on the data importer to keep them updated of any changes. Exporters may also have to find ways of monitoring any changes in the way data is handled by the importer.

Does your organisation fully comply with the General Data Protection Regulation (GDPR)?

If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
Thumbnail of the Blog Illustration
Data Protection
Published on
30/8/2024
The ICO Issues its First Notice of Intention to Fine a Data Processor

URM’s blog explores the first provisional monetary penalty imposed by the ICO exclusively on a data processor & the lessons that can be learned from the case.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
27/3/2024
The Data Protection and Digital Information Bill No.2

URM’s blog discusses the Data Protection and Digital Information (DPDI) Bill, how it will diverge from the current GDPR, and the impact it may have when passed.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
31/10/2024
DUA Bill: An Initial Assessment

URM’s blog compares the Government’s new Data (Use and Access) Bill with the previous Government’s DPDI Bill, & how it may alter the UK GDPR when it is passed.

Read more
Everything on the assess. Day ran really smoothly which made achieving Cyber Essentials Plus a painless process. URM’s Pen tester was polite with all members of staff he engaged with so everyone was happy to take the time out of their day.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.