Transfer Bloody Impact Assessments – why they are damn necessary

By Eoin Cannon
February 10, 2022
11min read
transfer impact assessments to see under the bonnet

The new Standard Contractual Clauses ‘SCC’s’ are well embedded by now, or at least they should be, boys and girls, and for those of you who have been implementing this contractual piece properly well done to you. For those, who have not, well then you are very bold indeed, and I’m assuming you have not done your Transfer Impact Assessment ‘TIA’ either. Brat!

The key aspect which these clauses have brought for those who wish to be compliant is the ‘I’ll show you mine if you show me yours’ dance which applies to the transfer of personal data and general visibility, which is now applied to where the bloody stuff is damn well being sent.

The spirit of this application is admittedly a little dull as it does not stem from a buccaneering desire to uphold data subject rights as a basic and fundamental human right, but from the dull moist hand of insurance compliance. The driver of interest for what must be the most cynical of professions is simply the risk associated with handling data bad. Yes, I could phrase that last sentence differently but I have a lift waiting as I type, so we must skip onto the real point relating to said risk, which is that if you act like an idiot, you will surely be treated like one also by your insurers.

Not implementing retention, processing without a correct legal basis or not transferring before undertaking a Transfer Impact Assessment, means you are potentially subject to either a) being sued or b) getting to taken to the cleaners by your supervisory authority, both of which are bad for business in insurance world, meaning you are facing eye-wateringly high premiums or the ignominy of un-insurability.

So you need the damn things done these days and well in advance of being asked. To not do so leaves a company exposed as you will look unprofessional and it will either a) take you a lot of time to create yourself or b) cost you a lot of money to get someone else to create it for you. Castlebridge of course are a dab hand at proving the latter for what you might call a very competitive fee, and it is from that vantage point that we can advise they are no ‘cut-and-paste’ job.

The TIA will underpin the SCC which itself is a malleable being. There are benefits to this flexibility of course, but it does demand assessment and scrutiny of the data environment, work which is all done via the TIA, and this is why companies will want to see yours. The cheeky chappies want some idea of what is under the bonnet, as to not do so now affects their insurance leaving via the assertion they had not correctly managed their own risk. Then comes the bit that may be hard to swallow, should they not like what they see, they may disassociate and the promise of any contract could be gone.

Breaking of or simply not pursuing with a contract on the basis of ensuring the rights of a data subject may have a high-minded ring to it, but it could be just the leverage needed to leave you high and dry for any other number of other reasons. So if you haven’t done it already, get drafting that TIA before someone comes looking for it, or else it will be too late.


How Can We Help?

Castlebridge helps organisations not just by creating documents for compliance (like a TIA) but to think about their data as a critical asset that has to be governed well to mitigate and manage data-related risks. This goes beyond just putting in the frameworks,  tick-box templates and a shiny software, and it includes education and training of staff at all levels in fundamentals of data and data management.

If you aren’t sure about your needs, you can book an Advisory Clinic call with our team for a 1 hour quick consultation and diagnosis.

Related Insights


Keep up to date with all our latest insights, podcast, training sessions, and webinars.