The Service

The BH Consulting Transfer Impact Assessment (TIA) clarifies your organisation’s exposure to risks linked to transferring personal data of EU residents to countries without an existing EU data protection adequacy agreement. A transfer impact assessment (aka a Transfer Risk Assessment) is required to comply with the Schrems II ruling and supports planning for any required change.

Transfer Impact Assessments are mandated in both the recently issued European Data Protection Board (EDPB) guidance on Supplementary Measures and the updated draft of the Standard Contractual Clauses (SCCs)

Each individual assessment is relatively quick to do, clarifies required next steps, and enables you to demonstrate GDPR accountability to both internal stakeholders and customers. It also provides clarity about scope to illustrate effort required and prioritise work.

This service can be carried out remotely.

The Benefits

  • Understand your exposure to changes required by updated Data Privacy guidance, in line with Schrems II

  • Prioritise next steps based upon legal requirements, EU guidance, and your local risk

  • Demonstrate your due diligence and progress towards compliance with both the GDPR and other comparable laws and regulations

  • Build a reusable risk-based overview of data transferred to existing and future suppliers

  • Establish mature mechanisms to keep on top of due diligence and contract assurance for personal data transfers

The Challenge

The Schrems II judgement invalidated Privacy Shield and highlighted a need to supplement Standard Contractual Clauses (SCCs) with additional measures, if transferring personal data to countries that do not offer “Essentially Equivalent” protection to the EU. This Data Transfer Impact Assessment enables you to confirm if a transfer is in scope of the judgement and clarifies required next steps.

Required changes have not always been clear and updates to existing supplier relationships are potentially disruptive and costly. We have been working with our customers to identify in-scope transfers and plan required work for several months. This has allowed us to lay solid foundations for change. First updating those agreements that rely upon Privacy Shield, then assessing risks associated with agreements that rely upon Standard Contractual Clauses (SCCs). Our early action on risk assessment laid foundations for this data transfer impact assessment, integrating latest advice from the EU.

Our Process

At BH Consulting we conduct a rapid initial triage to prioritise and plan Data Transfer Impact Assessment workshops. This allows you to confirm where risk is low, or work could be deferred to a later stage of activity. During workshops we use EU criteria and established data protection good practice to assess risks associated with a new or existing EU data transfer. The output provides you with an understanding of the steps required and the means to plan changes to mitigate or minimise highlighted risks.

We will work with your organisation on developing an action plan to manage the implementation of the given recommendations. Our experienced consultants will also help you establish and document the tailored data transfer impact assessment process for your organisation to use internally going forward.

We will work with you to deliver a full report which will include :

  • Identify the nature of the transfer and the potential risks in relation to the countries of destination concerned
  • Data mapping (based on your current ROPA)
  • Identification of where a third country offer an essentially equivalent level of protection
  • Advice on supplementary measures to introduce for particular type for transfers
  • An assessment of any applicable derogation can be relied upon

Let’s Talk

Please leave your contact details and a member of our team will be in touch shortly.

  • By submitting my information I consent to my data being processed by BH Consulting. For further information please read our privacy statement.
  • This field is for validation purposes and should be left unchanged.