RESPONSUM allows users to follow a guided approach to define the risks related to (Personal) data being transferred to a third country that might not have sufficient safeguards in place. This can be done by conducting a Transfer Impact Assessment (TIA) for each data transfer linked to a processing activity
General information about TIA functioning
The TIA sub-module can be found under Privacy Management >> Legal Management. Here you will find an overview of all the Transfer Impact Assessments that have been conducted for the different processing activities.
RESPONSUM will automatically create a TIA once it in the ROPA detects a Data Disclosure to a third country. But it is also possible to add your own TIA for a processing activity. Multiple TIA items can be linked to a single processing activity.
Best practise is to conduct a TIA for each third country where data is distributed to as part of the processing activity.
Adding a TIA
A new Transfer Impact Assessment can be added under Privacy Management >> Legal Management >> Transfer Impact Assessment. Pressing “Add TIA” will allow you to provide the following details:
Step 1: Processing Activity
- Enter the name of the TIA;
- Link the assessment to one or more processing activities within the ROPA by typing to search or selecting the correct one from the dropdown list;
- Link the assessment to one or more IM Systems within Infrastructure Management by typing to search or selecting the correct one from the dropdown list;
- Select the “location of the importer” (Country)
- Set a review interval (how long before this assessment must be reviewed)
Step 2: Context
- Select what personal data is being transferred (The data attributes shown to choose from are a filtered list of the Data Attributes used in the selected Processing activities in Step 1)
- You have the ability to add a textual justification by pressing “Add justification”
- Select if the involved entities are Public or Private
- You have the ability to add a textual justification by pressing “Add justification”
- Select the “Entity Role” of the importer in the Third country this assessment is conducted for (Controller or Processor)
- You have the ability to add a textual justification by pressing “Add justification”
- Select the “Related Sector” the importer in the Third country is situated in
- You have the ability to add a textual justification by pressing “Add justification”
- Indicate whether the data will be stored or only referenced (Remote access) from within the Third country
- You have the ability to add a textual justification by pressing “Add justification”
- Select the format in which the data will be transferred to the Third country (Cleartext (Readable files with all identifiers in place), Pseudonymized (Information left out to not make it directly identify a data subject) or Encrypted);
- You have the ability to add a textual justification by pressing “Add justification”
- Indicate whether it is possible that the data transferred to the Third country is in turn transferred to another Third country for processing;
- You have the ability to add a textual justification by pressing “Add justification”
- Indicate whether the importer has a legal obligation that prevents it from answering questions related to this TIA assessment;
- You have the ability to add a textual justification by pressing “Add justification”.
Step 3: Laws
A questionnaire is provided depending on the country of the importer selected. This questionnaire will question the legislations the importer must adhere to that can potentially request data to be analysed.
For US importer, a specific questionnaire will be provided.
Step 4, 5 and 6: Risk Identification, Assessment and handling
These steps will allow you to define (new or existing) and assess all risks that are related to the transfer of personal data to the importer. Once the risks have been assessed, a way to handle these risks can be defined.
