A ‘transfer risk assessment’ (TRAs) determines whether the effective and legally enforceable protection for data subjects and their personal data under the UK data protection regime will be undermined in the proposed receiving country, even if the transferring firm uses one of the ‘transfer tools’ for providing appropriate safeguards under Article 46 of the UK GDPR.
Those transfer tools include are the ICO’s International Data Transfer Agreement (IDTA), the Addendum to the EU SCCs (the Addendum) and ICO-approved Binding Corporate Rules (BCRs).
As explained previously, in backing the second successful challenge to the EU-US Privacy Shield, the ECJ decided that before a firm may rely on an Article 46 transfer tool to make a restricted transfer, it had to carry out a TRA to figure out if it also needs to take some other steps to fill in the gap. If there are gaps that cannot be filled, the transfer must not be made.
It's worth noting that the ICO states in its guidance:
You do not need to carry out a TRA if you are making a transfer to any country covered by UK adequacy regulations or if the transfer is covered by one of the exceptions [in Article 49].
This is supported by guidance from the European Data Protection Board (made up of all EU member state data protection regulators):
27. If your transfer can neither be legally based on an adequacy decision, nor on an Article 49 derogation, you need to continue with Step 3.
But, again, as explained previously (and in the EDPB's own guidance on Article 49), the way GDPR works is that (unless the country in question benefits from an adequacy finding), you would need to have decided on to rely on a transfer tool under article 46 before you can try to rely on an exception under article 49, so you need a risk assessment either way.
The ICO's template TRA tool is a Word document that may be opened by clicking the link at the foot of the guidance page. It asks 6 questions (with guidance) to help firms get to an initial assessment. It will likely be quite efficient to use the tool, but it's not mandatory and you could work through the questions yourself:
Question 1: What are the specific circumstances of the restricted transfer?
Question 2: What is the level of risk to people in the personal information you are transferring?
Question 3: What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organisation?
Question 4: Is the transfer significantly increasing the risk for people of a human rights breach in the destination country?
Question 5:
(a) Are you satisfied that both you and the people the information is about will be able to enforce the Article 46 transfer mechanism against the importer in the UK?
(b) If enforcement action outside the UK may be needed: Are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country (or elsewhere)?
Question 6: Do any of the exceptions to the restricted transfer rules [in Article 49 of UK GDPR] apply to the “significant risk data” [which you identified in Questions 4 and 5 as data for which your Article 46 transfer tool does not provide all the appropriate safeguards].
If by using the TRA tool, you decide that your Article 46 transfer mechanism will not provide appropriate safeguards and effective and enforceable data subject rights for all the personal data, then you must not make the restricted transfer.
The ICO will soon issue guidance on how to use the International Data Transfer Agreement (IDTA) and the Addendum to the Standard Contractual Clauses.
If you need assistance with any aspect of international personal data transfers, please let me know.
Great blog;)
ReplyDelete