Search

Data Transfer Risk

Data Transfer Risk
Data Transfer Risk overview banner

On July 16, 2020, the Court of Justice for the European Union decided the Schrems II case (officially: Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems). The outcome was that the EU-US Privacy Shield was invalidated, and any contractual safeguard mechanism used to transfer personal data out of the European Union — not just those relying on the European Commission's Standard Contractual Clauses (SCCs) — now requires an individualized approach to data transfers.

Based on the EDPB guidance, companies must determine whether they are subject to the GDPR, discover their data and where it flows, assess their vendors, examine third countries to which personal data is transferred, implement safeguards to manage identified risks, and demonstrate GDPR compliance. Because the assessment is derived from the CJEU's commentary in Schrems II and the EDPB guidance published in response, it takes a European-centric approach to data transfers. Depending on the data flows in a particular instance, the perceived risk score may be lower — for example, data flows from the United States to another country are less restricted than flows out of Europe, so the destination country's risk score may be less of a concern.

The Data Transfer Risk (DTR) score is designed to analyze privacy protection and surveillance in countries to determine the safeguards that already exist, where there may be systemic failures, and where there may be extensive government or intelligence agency surveillance. The scoring criteria is organized into three categories, each supported by a number of sub-criteria:

1Legal regime in the destination country — whether the country upholds democratic ideals, enshrines constitutional and statutory protections for privacy, and participates in treaties, conventions, or other programs that govern privacy.
2Presence of an independent supervisory authority — one to whom complaints can be directed and who actively investigates and regulates the market.
3Government surveillance and data-sharing practices — examining the necessity and proportionality of national security or intelligence measures that encroach on privacy, whether there is appropriate judicial oversight, and the degree to which individuals are protected and companies can refuse to cooperate with such intrusions.
DTR scoring methodology section divider
DTR scoring methodology diagram showing the three scoring categories and their sub-criteria
DTR scoring scale section divider
DTR scoring scale diagram showing how scores map to risk levels
Business Process Records DTR calculation section banner
Business Process Records
TrustArc automatically calculates a Data Transfer Risk score for Business Process records created using Template Type 1 or Template Type 2 in the Data Mapping & Risk Manager.
📋 Note: Template Type 3 does not support the creation of a Data Flow Chart, which prevents a Data Transfer Risk score from being calculated for Business Process records using this template type.
For each Business Process record with a Data Flow Chart, TrustArc's Data Transfer Risk algorithm analyzes the countries of the System Hosting locations and Data Recipients. Each country to which data is transferred receives a score based on the scoring criteria described above.
If a Business Process record has multiple countries with Data Transfer Risk scores, the record's overall Data Transfer Risk score is the highest score across all countries.
Business Process Record Data Transfer Risk score calculation diagram showing system hosting locations and data recipients mapped to country scores
System Records DTR calculation section banner
System Records
TrustArc automatically calculates a Data Transfer Risk score for System records based on the hosting locations added to the record.
If data is transferred from a data subject to a hosting location in the same country, that transfer is excluded from the calculation, as it is not considered an international data transfer.
System Record Data Transfer Risk score calculation diagram showing hosting locations mapped to country-level DTR scores
System Record DTR score example showing how the highest country score becomes the record's overall score
Company Entity and Third Party DTR calculation section banner
Company Entity & Third Party Records
Company Entity and Third Party records inherit the highest Data Transfer Risk score from the records they own:
Third Party records inherit from the System records they own.
Company Entity records inherit from the Business Process and System records they own.
International Data Transfer Impact Assessment section banner
International Data Transfer Impact Assessment (IDTIA)
You can complete an International Data Transfer Impact Assessment for each record.
Based on the assessment responses, a Residual Data Transfer Risk score is calculated and appears in the Residual Data Transfer Risk column of the Risk Profile.
An International Data Transfer Risk Report can also be generated, providing detailed information on the international data transfer risk for a business process activity record.
International Data Transfer Impact Assessment pop-up showing assessment questions and the resulting Residual Data Transfer Risk score
TrustArc Data Mapping & Risk Manager  ·  Data Transfer Risk  ·  support.trustarc.com