Hot Topics
Security Bloggers Network 
SBN

Establishing TIA Procedures

by "Ask Aleada" Blog - Aleada Consulting on March 2, 2022

In this video, we cover how to conduct and establish TIA procedures as well as draft a template that works for your organization.

There is currently no official TIA template. However, there are some organizations that provide example template TIAs, such as OneTrust, and these templates can be customized to fit your organization’s needs. Or, if you prefer, you may choose to draft your own template from scratch. 

It is important to make the content of the TIA easily understandable to whoever will be required to fill out the TIA. 

In general, a TIA is usually filled out by an internal business owner, a third-party vendor, and an internal privacy professional. Consider your audience when drafting each section of the TIA. 

The sections of a TIA should include the following: 

Basics of data transfer 

  • Introduction explaining why the TIA is necessary 

  • Who is sending and receiving the data? 

  • Where is the data being taken from and sent to? 

  • Why is the data being transferred? 

  • Will the data importer transfer the data to other subprocessors? 

Possible safeguards 

  • Can the data be minimized? 

  • Is access to the data restricted? 

  • Is the data encrypted? 

Assessing country into which the data is being imported 

With these questions, you are trying to assess the protections that the third country provides to individuals and their personal information. You can ask questions such as….  

  • Has the EU determined that the country has adequate privacy protections? 

  • Does the country have its own privacy laws? How do they compare to the GDPR? 

  • Do individuals have access to affective remedies in the event of unlawful government access to personal data? 

  • Does the country have laws (e.g., national security or criminal laws) that permit public authorities or agencies to access the data that will be transferred to the data importer? 

  • Does the country’s law enforcement often request access to data in the data importer’s industry? 

  • Does the country’s law enforcement often request access to data in the data exporter’s industry? 

  • What has been the data importer’s experience with governmental surveillance and law enforcement requests for information? 

For additional guidance on this section, see Section 2.3 of the guidance issued by the European Data Protection Board. 

Assessment results 

  • Is there anything you can do to improve data protection for this transfer? 

  • Understanding the risks, will you proceed with the data transfer? 

In the next video, we will go over how to conduct a TIA.

*** This is a Security Bloggers Network syndicated blog from "Ask Aleada" Blog - Aleada Consulting authored by "Ask Aleada" Blog - Aleada Consulting. Read the original post at: https://www.aleada.co/ask-aleada-blog/2022/3/31/establishing-tia-procedures

"Ask Aleada" Blog - Aleada Consulting