Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.

11

KNOWLEDGE HUB FOR GROWT H

Transfer Impact Assessments

(TIAs)

Article 12 mins read Updated on 29 August 2023

Our subject expert

Lillian Tsang MBA
Senior Data Protection and Privacy Solicitor

If you are an organisation transferring personal data out of

the EU, you may need a ‘Transfer Impact Assessment’ – an
international data transfer risk assessment which is
mandatory under the GDPR.

In this guide, we’ll explain what a Transfer Impact

Assessment is and the key steps involved in conducting
one.

This is a complex topic and there are different approaches

depending on whether the GDPR (EU data protection law) or UK
GDPR applies, so please contact our team if you’d like advice on this

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 1 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

and your specific transfers of personal data.

Jump to:

What is a Transfer Impact Assessment

under the GDPR?

What is a ‘Restricted Transfer’ of

personal data under the GDPR and why
does it matter?

Why do I need a Transfer Impact

Assessment if I’m putting in place
appropriate safeguards, such as using
the SCCs?

How do I conduct a Transfer Impact

Assessment under the GDPR?

Why do Transfer Impact Assessments

matter?

What about transfers of personal data

outside of the UK, subject to the UK
GDPR?

Transfer Risk Assessments under the UK

GDPR

The ICO’s Transfer Risk Assessment sets

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 2 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

out 6 questions:

How Harper James can help

What is a Transfer Impact Assessment

under the GDPR?
A ‘Transfer Impact Assessment’ is a risk assessment used for the
purposes of transferring personal data from the EU to certain non-
EU countries.

A Transfer Impact Assessment is needed to make sure that when

personal data of individuals in the EU is transferred outside of the
EU, it’s still protected in the same way it needs to be protected
under the GDPR.

The organisation exporting personal data outside of the EU needs to

carry out this assessment, to check if the relevant transfer of
personal data will be safe or not.

As part of a Transfer Impact Assessment, the organisation exporting

personal data needs to consider a series of questions, to check if
personal data will be adequately protected. These are covered
further, below.

What is a ‘Restricted Transfer’ of

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 3 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

personal data under the GDPR and why

does it matter?
You’ll need to consider a Transfer Impact Assessment when you are
making a ‘restricted transfer’ of personal data.

Restricted transfers occur where EU (or UK) personal data is being

transferred to other ‘third countries’, where such transfers of data
would be prohibited by the GDPR and UK GDPR.

For the purposes of GDPR, to identify a restricted transfer, you need

to look at whether you are sending personal data outside of the EU
and consider:

• Which country or countries are you sending the personal data

to?

• Are the countries you’re sending the personal data deemed to

afford an adequate level of protection to personal data? If the
countries you’re sending the personal data to are subject to
an adequacy decision, this means you can send personal data
to them freely.

• If the countries are not subject to an adequacy decision, have

you put in place appropriate safeguards such as Binding
Corporate Rules (BCRs) or commonly used Standard
Contractual Clauses (SCCs)?

• Do any other exemptions or derogations apply under the

GDPR, which would allow you to send personal data to those
countries?

• If you determine that you need appropriate safeguards in

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 4 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

place, such as SCCs, to govern the transfer of personal data

outside of the EU, then you’ll need to consider carrying out a
Transfer Impact Assessment.

Why do I need a Transfer Impact

Assessment if I’m putting in place
appropriate safeguards, such as using
the SCCs?
Since the Schrems II ruling, which was famously known for
invalidating the Privacy Shield, it was made clear that organisations
transferring personal data outside of the EU and UK must conduct
Transfer Impact Assessments to verify, on a case-by-case basis, if
the laws of the third country to which personal data has been sent
has any impact on the efficiency of the SCCs. Just because you have
signed the SCCs it doesn’t mean you have ensured there are
protections, enforceable rights and legal remedies that are
‘essentially equivalent’ to those guaranteed under GDPR.

Now, transfers that are made using any of the Article 46 GDPR tools
(for Hub
Knowledge example SCCs) mayGDPR
Data Protection only be relied on if the exporting
organisation has undertaken a documented case-by-case Transfer
Impact Assessment to ensure the personal data (and data subjects)
remain protected to the required standard under GDPR.

In summary, it’s vital for data exporters (controllers or processors), in

partnership with the organisation receiving data in the third country
(data importers) to evaluate the laws of the destination country to
which personal data is being sent and put in place measures to

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 5 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

make sure that personal data is protected when it is sent to those

countries, to the same level as it would be under the GDPR.

How do I conduct a Transfer Impact

Assessment under the GDPR?
The European Data Protection Board (EDPB) made various
recommendations about what a Transfer Impact Assessment needs
to cover, as set out below.

Certain steps in the assessment process are very difficult to deal

with in practice, but it’s vital that you get this right and make sure
that the Europe Data Protection Boards Recommendations are taken
into consideration.

The EDPB recommends the following 6 steps to assess risks related

to transfers:

STEP 1 As a first step, you need to know your international data

Personal data transfers, where your data is going and why.
mapping
Note that data ‘transfer’ also includes access to personal
data from a third country.

STEP 2 Under GDPR, there’s a general rule against transferring

Verify the personal data outside of the EU and EEA – unless the data
transfer is transferred to a country that’s considered adequate by
mechanism the European Commission (e.g. the UK) or subject to an
appropriate safeguard such as BCRs or SCCs, or if it
benefits from a derogation for specific circumstances (but

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 6 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

that’s rarely used). See the guidance on transfer

tools listed under Article 46 GDPR.

STEP 3 You need to ensure that the level of protection in the

Assess the importing country is equivalent to that guaranteed under
local laws of the GDPR. For this step, you’ll need to assess the laws of
the country and practices of the third country and check if they will
you’re sending have an effect on the value of your appropriate safeguards
personal data or transfer tools (e.g. your SCCs). You should consider the
to potential for access to the data by public authorities of
the third country, including rights and remedies available
to data subjects. In practice, this is a very difficult step
and you may need to take local law advice, for example, to
check the extent to which public authorities could access
personal data in those countries, what surveillance
powers are available and what safeguards are in place to
limit those powers.

STEP 4 You’ll need to identify which extra measures are necessary

Identify and to bring the level of protection of the data transferred
adopt (under an Article 46 tool) up to the standard that is
supplementary needed to protect the personal data that you are sending
measures to the third country. Examples of supplementary
measures include anonymisation or pseudonymisation of
personal data and encryption. This can again be very
difficult to tackle in practice.

STEP 5 You’ll need to take any formal procedural steps that the
Take any adoption of the supplementary measure(s) may require -
formal this is dependent on the Article 46 GDPR transfer tool that
procedural you are relying on.
steps

STEP 6 You’ll need to re-evaluate, at appropriate intervals, the

Re-evaluate level of protection afforded to the personal data that is
transferred to third countries and monitor if there have
been or will be any developments that may affect it. You’ll
need to keep a close eye on your data transfers and

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 7 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

ensure your assessments are updated when necessary –

you’ll also need to understand if any local law updates are
relevant to your assessments and local lawyers can assist
with this.

• You might need to carry out more than one Transfer Impact
Assessment per country, depending on which types of
personal data are being transferred.

• You should also be careful when dealing with onward

transfers of personal data - whilst you may have satisfied
yourself that the importing country has in place adequate
measures for a restricted transfer to take place, you need to
also ensure that the same flows down the chain, (e.g. if
further transfers of personal data are made from the
importing country to other countries). This is a complicated
point, so please contact us if you’d like advice on this.

• If your assessment reveals a potential issue, then you’ll need

to evaluate whether the use of supplementary measures
could be used and then repeat the assessment to see
whether the issue can be resolved. If the Transfer Impact
Assessment indicates, even after considering all
supplementary measures, that the required level of protection
is not provided, then you should not proceed with the
transfer. So, in the worst-case scenario, you may have to
suspend the transfer of personal data outside of the EU.

• Regardless of the decision made, you should ensure that you

document all the steps you have followed as part of the
assessment and note that data protection authorities could
request to see your documentation and what you have
considered as part of this process.

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 8 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

Why do Transfer Impact Assessments

matter?
Transfer Impact Assessments are critical, and a lot can go wrong if
you get this wrong. As a prime example, Meta (owner of Facebook)
was hit with a record-breaking fine of €1.2 billion by the Irish data
protection regulator, the largest fine ever issued under the GDPR.

The fine was issued because the tech giant’s transfer of personal
data from the EU and EEA to the US was found to be in breach of
GDPR. Although the company had in place SCCs, the regulator found
that it did not properly address the risks to personal data being
transferred to the US with suitable ‘supplemental measures’. See our
article on this.

For further information on what happens if you get data protection

law compliance wrong, see our article.

What about transfers of personal data

outside of the UK, subject to the UK
GDPR?
Our guidance above focusses on legal rules under the GDPR (EU data
protection law). In the UK, companies need to follow the UK GDPR
and the UK Data Protection Act.

As an appropriate safeguard for the transfer of personal data outside

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 9 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

of the UK, organisations can use the UK International Data Transfer

Agreement (IDTA), or an addendum to the European Commission’s
SCCs for international data transfers (UK Addendum) together with
the European Commission SCCs.

If you’d like to learn more about restricted transfers and which

approach is best to adopt; the IDTA or the UK addendum, then
please read our guidance explaining data transfers from the UK.

Transfer Risk Assessments under the UK

GDPR
In the UK, organisations can use a ‘Transfer Risk Assessment’. A
Transfer Risk Assessment allows organisations to make a restricted
transfer from the UK by ensuring appropriate safeguards are in place
to address the circumstances of the restricted transfer. A Transfer
Risk Assessment must always be conducted prior to putting in place
Article 46 appropriate safeguards, and can be said to be the UK
equivalent to the Transfer Impact Assessment under EU GDPR.

The UK ICO has published a Transfer Risk Assessment Tool and

guidance. This tool is designed to apply only to non-complex
transfers and shouldn’t be used for high-risk processing activities.
The ICO’s tool is only suitable for UK GDPR compliance, so if EU
GDPR applies to an international data transfer, then the EDPB
guidance (above) needs to be followed.

The Transfer Risk Assessment would enable a data exporter to

determine if the transfer mechanism they intend to use for the
restricted data transfer provides an adequate level of protection for

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 10 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

that transfer. The ICO’s approach focusses upon whether transfers

of personal data will increase risk to the privacy of individuals, as
opposed to if their data stays in the UK. If a significant risk is
presented, then the transfer shouldn’t go ahead. The ICO’s approach
looks at human rights in the destination country and attempts to
present a business friendly and practical approach.

The ICO has also set out guidance on what constitutes a restricted
transfer and who is responsible for conducting this assessment –
please contact us if you would like advice on these points.

The ICO’s Transfer Risk Assessment sets

out 6 questions:

Question 1 Here, organisations need to

What are the specific circumstances of the consider detailed
restricted transfer? information on the relevant
restricted transfer e.g. which
personal data is being
transferred and why,
together with any measures
adopted protect the data
which is being transferred.

Question 2 Here, organisations need to

What is the level of risk to people in the assess the level of risk
personal information you are transferring? involved in the transfer of
personal data – i.e. a low,
moderate or high-risk.

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 11 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

Question 3 Here, organisations should

What is a reasonable and proportionate level assess what level of
of investigation, given the overall risk level in investigation needs to be
the personal information and the nature of carried in relation to the
your organisation? data being transferred.

Question 4 Here, organisations need to

Is the transfer significantly increasing the assess if the transfer of
risk for people of a human rights breach in personal data will increase
the destination country? the risk of the data subjects
suffering a human rights
breach, in the country
personal data is sent to.

Question 5 This question requires

(a) Are you satisfied that both you and the organisations to assess
people the information is about will be able whether themselves and the
to enforce the Article 46 transfer relevant data subjects would
mechanism against the importer in the UK? be able to enforce their
(b) If enforcement action outside the UK may rights under Article 46 (e.g.
be needed: Are you satisfied that you and under the SCCs), in the UK
the people the information is about will be against the relevant data
able to enforce the Article 46 transfer importer, or in the third
mechanism in the destination country (or country or elsewhere.
elsewhere)?

Question 6 The final question considers

Do any of the exceptions to the restricted whether any exemptions
transfer rules apply to the 'significant risk apply to the ‘significant data’
data'? e.g. if the organisation has
taken explicit consent from
the data subject to allow for
their personal data to be
transferred to the relevant
third country.

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 12 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

Organisations can use the ICO’s tool and questions, to decide

whether to proceed with the international transfer of personal data.
If it’s determined that the organisation’s Article 46 mechanism won’t
provider effective safeguards and protect the rights of the data
subject, then the restricted transfer cannot go ahead.

There are various differences between a Transfer Impact Assessment

under the EU GDPR and a Transfer Risk Assessment under the UK
GDPR and the ICO allows organisations to use either the EDPB’s
guidance or its own tool – see our article on this.

Although it may be easier to use, the ICO’s Transfer Risk Assessment

tool might not be appropriate, depending on the nature of your
international data transfers. Please contact us if you’d like advice on
this.

How Harper James can help

It is important that you get this right. Our data protection and GDPR
legal experts can assist you in your Transfer Impact
Assessments used for data transfers between EU and non-EU
countries. We can also assist with Transfer Risk Assessments for the
transfer of data from the UK to countries that are not covered by UK
‘adequacy regulations’.

There are a lot of complex factors to consider, including the laws of

different countries. Laws and practices in another country are not
readily found on the internet or necessarily correct, but our lawyers
can help identify and interpret laws for you.

Where supplementary measures have been put forward as part of an

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 13 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

assessment, such measures need to be assessed by an

organisation’s information security team to check if they keep the
personal data safe. We can assist your information security team by
analysing the information they need to consider from the importing
organisation, to ensure their assessment is fit for purpose.

As this guide has explained, this is a detailed and complicated

exercise. If you’d like help with any aspects of the topics covered, get
in touch with our friendly and knowledgeable experts who would be
happy to help.

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 14 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 15 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

Explore related resources View All 

Updated 1 month ago Updated 1 month ago

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 16 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

Data Protection Data Protection

Suppliers as data How will data protection

processors: Mastering training protect my
GDPR due diligence to business? 
secure contracts 
Article 7 mins read Article 5 mins read

Business Disputes Business Growth Business Immigration Business Planning

Commercial Law Commercial Property Corporate Law Data Protection
Employee Share Schemes Employment Law Finance & Investment Law
Financial Services Regulation Insolvency & Corporate Recovery Intellectual Property
International Trade and Brexit Recession Busting

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 17 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 18 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

Like what you’re reading?

Get new articles delivered to your inbox
Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe

Services

Business Disputes

Business Immigration Law

Commercial Law

Commercial Property Solicitors

Construction Law

Corporate Law

Data Protection & Privacy Law

Employee Share Schemes

Employment Law

Finance & Investment

Financial Services Regulation

Intellectual Property

IT & Commercial Technology Law

SRA ID number (612099)

Sectors Sitemap

Creative Industries About Us

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 19 of 20
Data Transfer Impact Assessments | A guide to TIAs under GDPR 06/11/24, 17.11

Creative Industries About Us

Energy, Utilities & Environmental Accessibility

Life Sciences Complaints

Manufacturing and Engineering Cookie Policy

Public Sector Legal Disclaimer & Terms of Use

Retail and Luxury Brands Privacy Policy & Your Data

Sports Recruitment Privacy Policy

Start-ups Regulatory Information

Technology Scam Communications

© Harper James. All right reserved.

https://harperjames.co.uk/article/transfer-impact-assessments-tias/ Page 20 of 20