ICO publishes updated guidance on international data transfers

Earlier this year we published a blog on the new era of international data transfers outside the UK, following Parliamentary approval of the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the EU Standard Contractual Clauses (Addendum). The IDTA and Addendum replaced standard contractual clauses for international transfers under Article 46 of the UK GDPR. They also took into account the EU Court of Justice judgement in the Schrems II case.

The Information Commissioners Office (ICO) has now published updates to their initial guidance on international transfers and includes new sections on transfer risk assessments (TRAs) and a TRA tool.

Their guidance sets out two approaches to conducting a TRA, the ICO’s new approach using their TRA tool, and the approach taken by the EU Data Protection Board.  The guidance outlines the differences between each approach, but importantly the ICO has confirmed they are happy for organisations to make their own decisions on the approach they wish to take.

The guidance clarifies who is responsible for completing a TRA and where multiple assessments may be required, including when an organisation is a controller and their processor is making a restricted transfer, or the receiver of the data is sending it to third parties. This will undoubtedly assist in defining roles and responsibilities for the completion of assessments.

When is a TRA required?

An organisation must carry out a TRA if it is making a restricted transfer of personal data and using a transfer mechanism under Article 46 of the UK GDPR, such as the IDTA, the Addendum or Binding Corporate Rules. A TRA does not need to be carried out if an organisation is making a transfer to any country covered by UK adequacy regulations or if an exception can be relied on.

How will the new TRA and Tool help organisations assess whether a transfer can take place or not?

The new TRA will assist organisations in considering two broad types of risk to determine whether as a result of the transfer there is an increased risk to privacy or human rights compared to the information remaining in the UK. These risks are:

• risks to individuals’ rights in the destination country from third parties such as government and public bodies, accessing the data who are not bound by Article 46 transfer mechanisms; and
• risks to individuals’ rights resulting from difficulties in enforcing the relevant Article 46 transfer mechanism.

The TRA tool consists of six overarching questions along with useful guidance and tables to guide the user through the assessment.  There is clear information in each question on the action required to complete the question and how to approach it.  There is helpful information contained in the Appendix on categories of personal data, including the ICO’s indicative risk score for each category and, examples of extra protections that can be considered to protect data, categorised into “Basic”, “Enhanced” and “Significant Protections”.

This new guidance will be welcomed by organisations and data protection professionals as it provides clarity on how to approach TRAs and a clear risk-based approach to assessing the data transfer versus the data remaining in the UK.

The ICO has confirmed they are continuing to review and update their guidance and will be producing guidance on how to use the IDTA and clause-by-clause guidance on the Addendum to the SCCs.

Next steps

As a specialist data protection consultancy, Evalian is well-placed to assist you with navigating the requirements of international data transfers and the associated assessments.   If you would like an informal conversation on how we can assist,  please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.