Delving into the ICO’s draft transfer risk assessment

Organisations do not need to look at the whole legal regime of the third country, as this is a job for the government. Emma Erskine-Fox of TLT LLP explains.

In the September issue of PL&B UK Report, we covered the Information Commissioner’s Office (ICO) draft international data transfer agreement (IDTA), on which the ICO consulted between 11 August and 7 October 2021. As part of the same consultation, the ICO also asked for views on draft guidance (Guidance) on carrying out transfer risk assessments (TRAs) as well as a draft template TRA tool (TRA Tool).

The Guidance and TRA Tool serve a similar purpose to the European Data Protection Board’s (EDPB’s) Recommendations on supplementary measures (Recommendations), although the ICO’s approach differs from the EDPB’s in a number of ways. In particular, the ICO documents embed a much more explicit focus on the risks that transfers pose to data subjects in practice. The Guidance, in fact, states that exporters do not need to assess the third country’s regime for managing third party access to personal data at all if either: a) the possibility of third party access, including surveillance, is minimal; or b) the risk of harm to data subjects would be low even if third party access, including surveillance, did take place. This may be very helpful for organisations, particularly SMEs, carrying out low-risk transfers as it removes the need to familiarise themselves with the intricacies of a third country’s third-party access regime.

Continue reading

UK Report subscribers please login to access the full article.

If you wish to subscribe please see our subscription information.