Six years ago this July, the European Court of Justice ruled in Schrems II (Case C-311/18) that personal data exported from the EU to a third country must enjoy "essentially equivalent" protection — and that organisations transferring data must check this themselves, transfer by transfer. The Transfer Impact Assessment was born.

Six years later, it remains the most operationally awkward part of GDPR compliance for SMBs. Most data flows touch the US, the UK, India or Brazil. Most organisations don't know which country their cookie-tracking SDK phones home to. And the EU-US Data Privacy Framework — adopted in 2023 to replace the invalidated Privacy Shield — is itself under legal challenge in Schrems III, with a CJEU ruling expected late 2026 or early 2027.

This guide explains what a Transfer Impact Assessment actually requires of an SMB in 2026, the six steps that make a TIA defensible, and how to fit them into the data map you already maintain.

What is a Transfer Impact Assessment?

A Transfer Impact Assessment (TIA) is the documented analysis required by GDPR Chapter V whenever personal data is transferred from the EEA to a third country (a country outside the EEA). It answers two questions:

  1. Is the transfer protected by an Article 46 transfer mechanism — Standard Contractual Clauses, Binding Corporate Rules, an approved code of conduct, or a certification scheme?
  2. Does the law of the receiving country provide protection essentially equivalent to GDPR — or do you need supplementary measures (encryption, pseudonymisation, contractual additions) to close the gap?

The first question is contractual. The second is the hard one. EDPB Recommendations 01/2020 set out the methodology; national supervisory authorities have built on it with country-specific guidance.

A TIA is not a one-time exercise. The analysis must be revisited when the law of the receiving country changes (a new surveillance law, a court ruling), when the transfer arrangement changes (new processor, new sub-processor), or after a serious incident.

The Schrems II legacy: why TIAs exist

In July 2020, the CJEU invalidated the EU-US Privacy Shield in Schrems II. The court found that US surveillance laws (FISA Section 702, Executive Order 12333) gave US intelligence services access to personal data of EU residents that was incompatible with GDPR's protection standards — and that the US legal system did not provide effective redress to non-US persons.

The ruling did not just invalidate Privacy Shield. It established a methodology: any transfer mechanism — SCCs, BCRs, anything else — only works if the legal context of the receiving country actually allows the protections in the contract to be effective. A clause requiring the importer to refuse foreign government access requests is meaningless if local law forces the importer to comply.

EDPB Recommendations 01/2020 (final version November 2020) translated the ruling into the six-step TIA methodology that has remained largely stable since. National DPAs — the CNIL in France, the AP in the Netherlands, the BfDI in Germany, the AEPD in Spain, the ICO in the UK — have published implementation guidance, but the EDPB framework is the common substrate.

When does an SMB need a TIA?

Three triggers, all routine for any SMB using mainstream SaaS:

  • Any processor in a third country. US-based CRMs, US analytics platforms, Indian helpdesk providers, Filipino BPO services. If they process EU personal data, you need a TIA per processor (or per sub-processor, where transfers chain).
  • Any sub-processor relationship that crosses borders. Your EU-hosted SaaS uses an Indian support contractor that can read tickets containing EU personal data — that is a transfer.
  • Any AI service that processes data outside the EU. Most large-model providers process inference in US data centres. Even when the contract says "EU-hosted," ask where inference actually runs.

What about adequacy decisions? As of April 2026, fourteen jurisdictions enjoy an adequacy decision: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, and Uruguay. A transfer to one of these does not require a full TIA — the European Commission has done the analysis on your behalf. You still document the transfer in your ROPA, but no supplementary measures are needed.

The US is special. The EU-US Data Privacy Framework (DPF) provides adequacy for US organisations that self-certify. As of April 2026, this framework is still in force but under challenge in the CJEU (Schrems III). Many EU SMBs are pre-empting an invalidation by treating US transfers as if there were no adequacy — applying full TIAs and supplementary measures even when the recipient is DPF-certified. This is conservative; it is also defensible.

The EDPB six-step TIA methodology

EDPB Recommendations 01/2020 set the canonical structure. Each step is a section in your TIA document.

Step 1: Know your transfer

Document who transfers what to whom, where, and for what purpose. Without this, the rest is impossible. For each transfer, capture:

  • The exporter (you, or your processor)
  • The importer (the receiving organisation)
  • The categories of data subjects and personal data
  • The volume and frequency
  • The purpose
  • Onward transfers (sub-processors, sub-sub-processors)

This is exactly the data your ROPA already contains, if your data map is current. The GDPR data mapping guide covers the inventory layer.

Step 2: Identify the transfer tool

For each transfer, identify the Article 46 mechanism: 2021 SCCs, BCRs, an approved code of conduct, or a certification scheme. Most SMB transfers use SCCs (the European Commission's standard contractual clauses, modernised in June 2021 to four modules: C2C, C2P, P2C, P2P).

If no Article 46 tool covers the transfer, you cannot rely on Article 49 derogations except for narrowly defined cases — explicit consent, necessity for contract performance, important reasons of public interest. Article 49 derogations are exceptional, not a fallback for routine processing.

Step 3: Assess the law of the third country

Does the law of the importing country allow the protections in the SCCs to be effective? This is the heavy step. You assess:

  • Surveillance laws (does foreign intelligence have access?)
  • Government access regimes (orders, subpoenas, national security letters)
  • Effective redress (can affected EU data subjects challenge access?)
  • Independence of supervisory authorities

Country-specific assessments published by trade associations, supervisory authorities, and law firms can be cited. The CNIL maintains a useful country-risk matrix; the EDPB has flagged specific countries — the US under FISA 702, China under the National Intelligence Law, Russia, India under the IT Rules — as high-risk.

Step 4: Identify supplementary measures

If the third-country law does not provide essential equivalence, supplementary measures must close the gap. EDPB Recommendations identify three categories:

  • Technical — strong encryption with keys held in the EU, pseudonymisation, secure multi-party computation. This is the most defensible category.
  • Contractual — additional clauses obliging the importer to challenge access requests, notify the exporter, publish transparency reports. Useful but limited; contracts cannot override domestic law.
  • Organisational — internal policies on responding to access requests, training, governance. Useful as evidence of due diligence.

The combination depends on the data category and the risk. For special-category personal data sent to a US processor, end-to-end encryption with EU-held keys is essentially the floor. For low-risk operational data, contractual measures may suffice.

Step 5: Document the assessment

The TIA is itself a document. It captures the analysis from steps 1–4, the conclusion (acceptable / requires further measures / not permitted), the supplementary measures adopted, the responsible person, and the next-review date. Without documentation, you cannot demonstrate compliance to a supervisory authority.

A serious TIA tool stores the assessment as structured data — not a Word file in a SharePoint folder — so you can answer questions like "show me all TIAs for transfers to the US that conclude with conditional approval." This is also where integration with your DPIA workflow pays off: the same processing can be the subject of an Article 35 DPIA and a Chapter V TIA, and the documentation should not duplicate.

Step 6: Re-evaluate

Three triggers force a re-evaluation:

  • A material change in the law of the importing country (a new surveillance law, a court ruling like Schrems II or its eventual successor)
  • A material change in the transfer (new processor, new sub-processor, new data category)
  • A serious incident (a data breach involving the importer, a government access request received)

Beyond the triggers, a scheduled annual review catches drift. Each TIA should record its next-review date.

The 2026 transfer landscape

A snapshot of what an SMB faces today, country by country.

United States. EU-US Data Privacy Framework in force; Schrems III pending at the CJEU with a ruling expected late 2026 or early 2027. DPF-certified US importers can be treated as adequate under current law, but conservative practice is to apply supplementary measures regardless. End-to-end encryption with EU-held keys remains the strongest technical measure.

United Kingdom. Adequacy decision in force, due for renewal during 2026. The UK has diverged from the GDPR in some areas (relaxed cookie rules, looser AI regulation) but retains GDPR-equivalent transfer rules. The UK ICO is broadly aligned with the EDPB.

India. No adequacy decision. The 2023 Digital Personal Data Protection Act has lifted some baseline protections, but surveillance powers under the IT Rules remain a concern. Treat as high-risk; supplementary measures required.

China. No adequacy decision. The Personal Information Protection Law (PIPL) requires explicit consent for cross-border transfers and government security assessments for large transfers. Combined with the National Intelligence Law, transfers to China require strong supplementary measures or derogations.

Brazil. No adequacy decision yet, but LGPD provides GDPR-similar protections. The European Commission has flagged Brazil for potential adequacy assessment in 2026. Treat as moderate-risk; standard SCCs plus monitoring is usually defensible.

Integrating TIAs into your data map

A TIA tool that is disconnected from your transfer inventory is doing the work twice. Each transfer in your data map should already have:

  • The destination country
  • The transfer mechanism
  • The legal basis
  • The category of data
  • The volume and frequency

When that data is structured, generating a TIA becomes a matter of confirming the heuristics and adding the country-specific analysis. Readmodel® treats every transfer in your map as a candidate for a TIA: when the destination country is outside the adequacy list, the system flags the transfer in the risk register and offers a TIA workflow that pre-fills steps 1, 2 and 6 from the inventory.

For the broader DPIA workflow that often runs in parallel with a TIA, see the DPIA automation tools guide.

Transfer Impact Assessment: frequently asked questions

Is a Transfer Impact Assessment legally required by GDPR? The text of the GDPR does not use the phrase "Transfer Impact Assessment." The requirement comes from Schrems II (CJEU C-311/18) and EDPB Recommendations 01/2020, which interpret Articles 44–49 of the GDPR. Supervisory authorities now expect a documented TIA for any transfer to a third country without adequacy. In practice the answer is yes — through case law and EDPB guidance.

Do I need a TIA for transfers to the US under the EU-US Data Privacy Framework? Strict reading: no — DPF certification provides adequacy. Practical reading: yes, lightly. The Schrems III legal challenge means DPF status could change. Documenting a TIA that concludes "adequate under DPF, monitoring for legal changes" gives you both compliance today and forward protection if the framework falls.

What is the difference between a TIA and a DPIA? A DPIA (Article 35) assesses high-risk processing for its impact on data subjects. A TIA (Chapter V via Schrems II) assesses whether a third-country transfer maintains GDPR-equivalent protection. The same processing can require both: high-risk processing that involves a third-country transfer requires a DPIA AND a TIA. Modern compliance tools store both as linked records.

Do small businesses need a TIA? If you use any non-EU SaaS that processes personal data — and almost every SMB does — yes. There is no Article 30(5)-style headcount exemption for transfers. The depth of the analysis can be proportionate, but the documentation must exist.

What's the difference between SCCs and BCRs? SCCs are the European Commission's pre-approved standard contracts that any pair of organisations can adopt. They modernised in June 2021 with four modules. BCRs (Binding Corporate Rules) are intra-group rules for large multinational groups that have been approved by a supervisory authority. BCRs are expensive to obtain but easier to operate at scale; SCCs are accessible but require per-relationship work. Most SMBs use SCCs.

Can I rely on Article 49 derogations? For routine processing, no. The derogations are designed for narrow, exceptional cases: explicit consent for a specific transfer, necessity for contract performance with the data subject, important reasons of public interest. The EDPB has been emphatic that Article 49 is not a workaround for missing Article 46 mechanisms.

How often should I update my TIAs? Three triggers force an update: a change in the law of the importing country, a change in the transfer arrangement, a serious incident. A scheduled annual review catches drift. Most supervisory authorities expect TIAs to be no older than 12 months at the time of inspection.

What happens if Schrems III invalidates the EU-US Data Privacy Framework? If the CJEU invalidates the DPF, DPF-certified US importers lose their adequacy status. SMBs that pre-emptively applied supplementary measures will be largely unaffected. SMBs relying solely on DPF will need to rapidly adopt SCCs plus supplementary measures or migrate processing back to the EEA. The lesson from 2020 (Privacy Shield invalidation): conservative practice now saves a scramble later.

Start documenting your transfers

A TIA is not a one-time form to fill in — it is documentation that has to track the realities of where your data goes, who has access, and under what legal regime. The data inventory is the foundation; the TIA is built on top.

Create a free Readmodel® account, document your services and transfers, and the system will flag every cross-border transfer that needs a TIA. Templates for the EDPB six-step methodology, country-specific risk hints, and integration with the DPIA workflow are available on every plan, including the free Explore plan.