Transfer Impact Assessments under GDPR: Ensuring Compliance with International Data Transfers
In the wake of the Schrems II ruling, Transfer Impact Assessments (TIAs) have moved from a theoretical best practice to a mandatory component of international data flows. This paper examines the practical steps organisations must take to validate transfers to third countries.
He who transfers must assess
The Court of Justice of the European Union (CJEU) ruling in Schrems II fundamentally altered the mechanism of international data transfers. Invalidating the EU-US Privacy Shield was the headline; the imposition of a requirement to verify the "essential equivalence" of protection in the destination country was the operational reality that followed.
Standard Contractual Clauses (SCCs) remain the primary vehicle for most transfers, but they are no longer a "sign and forget" instrument. A TIA is the due diligence that proves the SCCs can actually be respected in practice, given the laws and surveillance practices of the recipient country.
The Four-Step Assessment Methodology
A defensible TIA process generally follows four distinct stages, which map closely to the EDPB's recommendations:
1. Know your transfer
You cannot assess what you do not document. This stage involves mapping the specific data fields, the technical method of transfer (API, batch file, remote access), the onward transfer chain (sub-processors), and the purpose of the processing.
2. Verify the transfer tool
Identify the Article 46 transfer tool being relied upon. For most commercial vendors, this will be the 2021 Standard Contractual Clauses (Module 2 for Controller-to-Processor).
3. Assess the law and practice of the third country
This is the most challenging component. Does the destination country have laws that allow public authorities to access data in a way that goes beyond what is necessary and proportionate in a democratic society? For transfers to the US, this often focuses on FISA 702 and Executive Order 12333.
4. Identify and adopt supplemental measures
If the local law assessment reveals gaps in protection, can technical, contractual, or organisational measures fill them?
- Technical measures: Encryption in transit and at rest (with keys managed in the EEA/adequate country) is the gold standard. If the data is illegible to the surveillance authority, the risk is effectively neutralised.
- Contractual measures: Commitments to challenge access requests and notify the data exporter.
- Organisational measures: Policies on handling government requests and transparency reporting.
Automating the Complexity
Given the complexity of international laws, manual TIAs are prone to inconsistency. Acompli approaches this by structuring the TIA as a workflow:
By leveraging a knowledge base of country-specific legal assessments, Acompli allows DPOs to focus on the specific facts of the transfer—the "what" and "how"—while the platform surfaces the relevant "where" risks. This ensures that a transfer to a US cloud provider is assessed consistently across the organisation, rather than depending on which project manager fills out the form.
Conclusion
The era of unchecked data flows is over. However, compliance need not mean data localisation. A robust, documented TIA process—supported by technical measures like own-key encryption—allows global business to continue while respecting the fundamental rights of data subjects.