C&P Universe Hero 2
Cybersecurity

Transfer Impact Assessment: The key to digital privacy and compliance is control over data flows

Data transfers to unsecure third countries are something that can keep any person in charge of data privacy compliance awake at night. Because how do you minimize compliance risk when, for example, sending data to the United States? The first step to efficient compliance risk management is to get your data flows, processes and delegation of responsibilities under control.

The infamous ruling by the European Court of Justice in the summer of 2020 on the Schrems II case had direct consequences for thousands of businesses transferring data to such countries as the USA every day. Schrems II removed the ‘Privacy Shield’, and thus the legal grounds that made it possible for European businesses to transfer data to the USA and other countries, without violating GDPR and digital privacy.

Digital privacy in the wake of Schrems II

Even though the ruling is no longer anything new, the aftershocks from Schrems II are still being felt.
It kept a lot of data controllers awake at night, because the lack of transparency makes it difficult to see how businesses can navigate successfully in the new reality and uphold digital privacy in the wake of Schrems II.

How can you ensure data privacy compliance when transferring personal data to a third country that does not provide the same level of protection and digital privacy as that within the EU's borders, whilst maintaining efficient and competitive business practices? That’s the question that’s left businesses of all sizes and in all sectors in no man’s land.

The truth is that there is no simple answer, because there is no precedent. That means that most businesses will have to perform their own risk assessment to minimize compliance risk. But one thing is certain: The worst thing you can do is do nothing, in the hope that your business will slip under the radar. Because the consequences of not having the right risk and compliance tools at place when transferring data to a third country such as the USA can be far-reaching, in terms of damage to reputation and finances.

The dilemma concerning third party transfers and potential data privacy breaches has not diminished in line with businesses of all sizes and in all sectors accelerating their Cloud migration. Because while the benefits of the Cloud, such as cost reductions, greater efficiency, a boost to innovation, scaling and faster time-to-market, are clearly evident, there are important compliance risk questions to consider. You have to put focus on compliance risk management and digital privacy.

Compliance risk management: Control your data flows

When sending data across the Atlantic, it's crucial to have an accurate overview of what data flows where. Managing processes and data flows is key to ensuring your business's GDPR compliance. It’s the only way you can optimize your compliance risk concepts and make adjustments when necessary. Pitfalls and potential data breaches occur when you do not have control over your data flows to third countries.

But given the amount of data flowing internationally nowadays, compliance risk management is easier said than done. You need to put focus on governance risk and compliance framework, and this is where NNIT comes into the picture. We can help you gain the overview you need, and to ensure that processes, procedures and delegation of responsibilities are in place in order to optimize your data privacy compliance.

The European Data Protection Board (EDPB) sets out six steps in their recommendations on how to ensure digital privacy as a business and comply with GDPR when transferring data to third countries. NNIT always applies those six steps when advising and helping businesses with compliance risk management in connection with transfers to third countries. For example, we always recommend that you keep all data on European soil.

We also facilitate the process of conducting the EDPB-recommended TIA (Transfer Impact Assessment), which includes a legal check of the data security of a recipient country in relation to applicable EU requirements.

Regulatory compliance is about obeying the applicable laws, rules and standards.

To ensure data privacy compliance you must fulfill all legal requirements, regardless of sector or the markets you operate on. That requires you knowing and understanding which specific policies, rules and documentation requirements apply, and what they mean for your organization and its business.

Read more here

person pointing to computer code on screen

From Compliance Assessment to Implementation

How far businesses have come in terms of ensuring data privacy compliance for transfers to third countries differs considerably. That’s why NNIT offers Compliance Assessment to determine the status of your compliance.

Some of the things our regulatory compliance specialists look at:

  • Are your documentation and checks adequate to ensure digital privacy?
  • Does your business have the necessary procedures and processes in place, and do you comply with them?
  • Have you got the right compliance risk management team? You may have the best risk and compliance tools and procedures, but if you don’t have the right skills to implement them, they’re no good to you.
  • Is the delegation of responsibilities clear enough? Responsibility in many businesses can flow between the IT and Legal departments, but the ideal solution is if both sit at the table.


On that basis, we can advise and recommend, and facilitate the process by optimizing and introducing the right procedures and processes into your business. And we’ll help ensure smooth implementation, right from putting together the right skills set, to training the people given the job of ensuring your data privacy compliance.

Thanks to our broad expertise within IT and digital transformation, our regulatory compliance specialists
always start by examining your existing IT solutions and strategic ambitions for using the Cloud and digital transformation.

Can we help boost your data privacy compliance?

Are you worried about whether your business complies with GDPR when transferring data to a third country? Are you in doubt about whether your BCR (Binding Corporate Rule) is sufficient when employees travel to such countries? Or are you unsure whether your processes and procedures are sufficient to avoid data privacy breaches and provide the protection essential when sending personal data across the Atlantic? Regardless of your concerns or challenges, we’re there to help.

We can offer advice, recommendations, help with implementation to improve compliance risk management for transfers to third countries.