Following on from our article on The New Standard Contractual Clauses, below we look at Data Transfer Impact Assessment considerations.
What is a Data Transfer Impact Assessment (DTIA) and when is it needed?
Simply put, the DTIA is an assessment process that needs to be carried out by those wanting to export data outside the European Economic Area (EEA) to what are known as third countries (see further below).
The need for a DTIA was confirmed with the recent release of the new EU Standard Contractual Clauses (the New EU SCCs) and must be carried out when exporting data from the EEA to countries that have not been recognised with an ‘adequacy decision’ by the European Commission (EC).
An ‘adequacy decision’ is essentially a recognition by the EC that the country in question has an adequate level of data protection laws to ensure that a data subject gains a similar level of protection to what s/he would receive under EU data protection laws. Where a country has not been so recognised, it is known as a ‘third country’ to which additional restrictions apply before data can be transferred there (see below).
The responsibility lies with the data exporter to assess the laws of the third country; they must also determine who the local data protection authority is in the third country, if any, and whether there are any form of laws, regulations and practices committed to data protection in place there. Not an easy task.
Key steps for exporting data
The European Data Protection Board (EDPB) has recommended a six-step process that should be followed when exporting data from the EEA to a country outside it:
As the data exporter is ultimately accountable to the data subject and supervisory authority, all assessments should be properly documented.
Given the increased level of burden on the exporter, it is important to have in place a proper DTIA. We have created various documents and guidance that could assist you with completing your DTIA. For more information, please get in touch with our commercial team.
Where does that leave the UK?
The above rules relate to transfers from the EEA only to third countries outside the EEA. The UK has also recently been recognised as providing an adequate level of data protection by the European Commission and accordingly, data can continue to flow as it did previously between the EEA and the UK without issue.
The position on the transfer of data from the UK to third countries (i.e. those without an adequacy decision by the UK ICO) is slightly different. While the UK ICO has adopted the old EU Standard Contractual Clauses (UK SCCs) with some amendments, there is presently no mandatory requirement to carry out a separate DTIA.
The UK ICO is however in the process of creating its own process to govern international transfers and has recently launched its consultation on a new International Data Transfer Agreement (IDTA) that is intended to replace the UK SCCs.
Watch this space as we will be updating on the developments around international transfers from the UK.
Get it in writing – Commercial Contracts
The new standard contractual clauses
Michael Penhallurick v MD5 Limited; who owns the code you create from home?