Data Transfer Impact Assessment

Definition

A Data Transfer Impact Assessment (DTIA) is the documented analysis a data exporter must complete after Schrems II (Case C-311/18, July 2020) before relying on Standard Contractual Clauses or other Article 46 mechanisms to send personal data outside the EEA. The DTIA assesses the laws and practices of the third country (particularly its surveillance and government-access regime), the categories of data being transferred, the technical and organisational measures in place (encryption in transit and at rest, key management, access controls, pseudonymisation), and contractual measures (SCCs, audit rights, breach notification). If the assessment concludes the third country does not offer essentially equivalent protection, the exporter must apply supplementary measures (typically encryption with EEA-held keys, anonymisation, or splitting of data) to bridge the gap. The European Data Protection Board (EDPB) Recommendations 01/2020 set out the methodology. DTIAs do not need to be filed with the DPC but must be available on request and must be re-assessed when the law of the third country changes.

Why it matters for software choice

Most Irish SMEs rely on a vendor's published DTIA template rather than completing their own. Vendors that publish a downloadable DTIA, list the supplementary measures they apply, and update it when transfer law changes save days of compliance work and limit DPC-investigation risk.

Authority sources

• EDPB Recommendations 01/2020 on supplementary measures (edpb.europa.eu)
• DPC: International data transfers (www.dataprotection.ie)

Software categories this affects

Vendors covered by this term

Related terms