International Data Transfers: New guidance published by the ICO

On the 17th November, the Information Commissioners Office (ICO) published new guidance on international data transfers, following a consultation which ran during the summer of 2021. 

Transfer Risk Assessments

Where organisations transfer personal data outside of the UK, they must comply with UK GDPR rules around restrict-ed transfers; in order to do this, Article 46 transfer mecha-nisms must be implemented. These safeguards include the ICO’s International Data Transfer Agreement (IDTA), the Addendum to the EU Standard Contractual Clauses (SCCs), and Binding Corporate Rules (UK BCRs). 

As a result of the Schrems II ruling, the ICO now require Transfer Risk Assessments (TRAs) to be carried out by or-ganisations who intend to make restricted transfers of per-sonal data outside of the UK. 

Using a TRA allows organisations to assess specific circum-stances surrounding restricted transfers and to ensure that the Article 46 transfer mechanism will provide sufficient protections and also enforceable rights for individuals.  

The ICO’s consultation document which was published last year, sought responses on a new draft International Data Transfer Agreement (IDTA) and the associated guidance. The consultation closed in October 2021 and the ICO have now published an update to their guidance on internation-al data transfers; including a section on transfer risk as-sessments (TRAs) and a new TRA tool. 

To read the new guidance click here, and to access the TRA Tool, click here.

TRA Guidance & TRA Tool

The six question TRA tool has been designed to assist individuals in working through a TRA. In an effort to make the tool user-friendly and pragmatic, the ICO have broken the process down into six questions.  

Tables include tick boxes for answers at each stage, with information detailing the initial level of risk posed by different categories of data (from low to high); and therefore allowing the user to ascertain whether the transfer of said data would significantly increase the risk of either privacy or human rights breaches. 

The TRA guidance provides useful examples of the more difficult scenarios involving complex supply chains, in order to answer common questions (for example, identifying who is responsible for carrying the TRA out). 

The ICO states that organisations do not need to use the exact TRA template provided by the ICO, as long as they keep a record of their TRA in another format. 

Furthermore, the guidance also states that organisations can continue to comply with the existing Europe-an Data Protection Board’s (EDPB) approach to TRAs as an alternative to the guidance put forward by the ICO for UK transfers; therefore the EDPB approach may remain the default for organisations who operate internationally.

Emma Bate, Director of Legal Services for the ICO stated that:

“Our TRA guidance clarifies an alternative approach to the one put forward by the European Data Protection Board. Our aim is to find an alternative, achievable approach delivering the right protection for the people the data is about, whilst ensuring that the assessment is rea-sonable and proportionate.” 

The ICO are keen to hear feedback on experiences of using the TRA tool so that they can continue to im-prove it. The ICO has also confirmed that further clause-by-clause guidance on the new IDTA is currently being developed, and will be published in the near future.