ICO publishes an update to its guidance on international transfers

The ICO has today published an update on its guidance on international transfers which includes a new section on transfer risk assessments (TRAs) and a TRA tool.

Emma Bate, the ICO’s Director of Legal Services (Regulatory Advice & Commercial), explains that this new UK guidance is an alternative to the one published by the European Data Protection Board (EDPB). She is confident that the new guidance provides an appropriate level of protection for the individuals whose data is being transferred from the UK to other jurisdictions (outside the European Economic Area and the jurisdictions currently declared by the EU to be “adequate”) and that this new assessment is “reasonable and proportionate.”

The ICO’s optional Transfer Risk Assessment tool contains six questions. The first two are:

  1. What are the specific circumstances of the restricted transfer?
  2. What is the level of risk to people in the personal information you are transferring?

The new guidance explains the differences between the approaches of the ICO and the EDPB and makes clear that ICO is happy for organisations exporting personal data from the UK to carry out an assessment that meets either approach.

The guidance provides eight legal bases for international transfers, for example, Binding Corporate Rules and Standard Data Protection Clauses, with helpful scenarios. There are also eight exceptions with helpful scenarios.

Further information