New ICO guidance on Transfer Risk Assessments

The Information Commissioner's Office (ICO) has recently published updated guidance on international transfers. The update focusses on restricted transfers (to a country not covered by a UK adequacy decision) and in particular includes a new section on transfer risk assessments (TRA).

A TRA tool has been released alongside the guidance to assist UK organisations in conducting TRAs - this can now be used as an alternative to following the approach recommended by the European Data Protection Board (EDPB).

Who is this article for?

Organisations that (i) make restricted transfers of personal data (see below) and (ii) rely on an "appropriate safeguard" mechanism (e.g. standard contractual clauses) to do so.

What is a "restricted transfer" of personal data?

An organisation that is subject to the UK GDPR will make a restricted transfer if it transfers any amount of personal data to third parties (such as suppliers) located in territories outside the UK (or otherwise allows such third parties to access personal data held in the UK).  

If your organisation wishes to make a restricted transfer you must make sure that either (i) the territory in which the recipient is based is covered by a UK adequacy decision or (ii) the data is sufficiently protected by putting in place appropriate safeguards (see below) or (iii) an exemption applies.

Tip: you will not be making a restricted transfer of personal data if the data has been anonymised (so it is never possible to identify individuals). However, anonymisation requires care and attention to ensure that, even where names are removed, individuals are not identifiable from other aspects of a data set. The ICO’s draft anonymisation, pseudonymisation and privacy enhancing technologies guidance is a helpful starting point.

What are the risks associated with restricted transfers?

Restricted transfers are regulated because the human rights afforded to individuals in the UK may be threatened if data is transferred to territories where organisations are not required to apply the same high standards of privacy to personal data and/or where organisations may seek to exploit personal data for their own gain. The rights of an individual are also undermined if personal data is transferred to territories that do not have legal systems in place that enable individuals to challenge any misuse of their data.  

If a country or territory or organisation is covered by UK adequacy regulations then a restricted transfer can be made without putting in place additional protections or carrying out a risk assessment. The adequacy regulations list countries, territories, or international organisations, or particular sectors in a country or territory that have been assessed as providing adequate protection for personal data. A list is available on the ICO’s website (see “What countries or territories are covered by adequacy regulations?”).

If there is no adequacy finding in respect of the country, territory or organisation that you wish to send personal data to, you must ensure that your organisation can rely on one of the ‘appropriate safeguard’ mechanisms set out in Article 46 of the UK GDPR or rely on an Article 49 exception. Note, however, that the ICO guidance states that relying on an exception as opposed to an Article 46 mechanism is unlikely to be proportionate for anything other than occasional low risk transfers with low volumes of data.

A full list of Article 46 mechanisms is available in the ICO guidance, but the most commonly used is standard contractual clauses. From 21 March 2022 UK organisations have been able to utilise either the (i) ICO’s International Data Transfer Agreement (IDTA) or (ii) new EU standard contractual clauses in conjunction with the ICO’s UK International Data Transfer Addendum.

When is a risk assessment required?

Following the Schrems II decision in 2020, before an organisation relies on an Article 46 appropriate safeguard it must carry out a TRA. The purpose of the TRA is to ensure that the appropriate safeguard (e.g. standard contractual clauses) will, in practice, ensure that the personal data being transferred is protected when processed in the recipient's territory. Organisations must keep records of their TRAs.

Who needs to carry out the TRA?

The ICO's guidance helpfully clarifies that if, as a controller, you appoint a processor who is making a restricted transfer, only the processor must carry out a TRA.

For example, if you are a controller transferring personal data to another UK company as your processor, and the processor appoints a sub-processor that is based outside of the UK (in a country not covered by an adequacy decision), the processor would be carrying out a restricted transfer and as such, assuming it was relying on an Article 46 appropriate safeguard to do so, would be required to carry out a TRA. This is still the case if, in practical terms, the data flows straight to the sub-processor.

What needs to be in my TRA?

As above, the goal of a TRA is to satisfy yourself that the relevant protections in the UK GDPR are not undermined when data is transferred overseas. In practice a TRA requires you to identify risks arising from a proposed restricted transfer and to put in place suitable mitigations that must stay in place for the duration of the transfer.

New ICO risk assessment tool released

To date, organisations have based their approach to TRAs around the EDPB's recommended process which has been seen as burdensome since it requires them to assess the data privacy regime in the recipient's country and any likely risks associated with third party access to data. The ICO's new TRA risk assessment tool and guidance offers an alternative approach and provides a six step process to follow, links to external resources (such as human rights reports) and a place to record findings and conclusions. The tool is not automated so the onus is still on the organisation to allocate risk ratings and identify mitigations, although it does provide marginal notes and guidance to assist with this process. In the coming months the ICO is considering publishing further worked examples to show how the tool works in practice.

The ICO hopes its approach is 'reasonable and proportionate' and allows organisations to adopt a more risk-based process. In comparison to the EDPB approach to TRAs, the tool places less reliance on assessing the approach to data protection regulation in the foreign jurisdiction and instead focusses assessment on the overarching human rights regime in the recipient country or territory and whether the transfer will result in an increased risk to individuals. This should make investigations more manageable for businesses. The tool also includes a more streamlined process for SME organisations.

Note, however, that organisations remain free to carry out TRAs using methods other than the ICO's tool including the existing EDPB approach and it is likely that businesses who are also subject to the EU GDPR or who have invested significant time and resource embedding the EDPB's TRA approach into their internal processes will choose to do so.

In summary

The updated ICO guidance and TRA tool are further signs of an emerging UK approach to data protection that diverges from the EU. In particular the ICO have considered what is a reasonable level of investigation for businesses to undertake in undertaking risk assessments, which is welcome. However, for international corporate groups a divergent UK approach could create more rather than less complexity and many may choose to adhere to the more onerous EU standards for consistency across their businesses.