On November 17, 2022, the UK Information Commissioner’s Office (ICO) published an update to its guidance on international transfers of personal data from the UK to other jurisdictions, effective on the same day. This new UK guidance includes a new section on transfer risk assessments (TRAs) and a TRA tool, which represent an alternative to the one published by the European Data Protection Board (EDPB), which applies to international transfers from the European Economic Area (the 27 EU member states plus Iceland, Liechtenstein and Norway)..
The TRA guidance establishes that, if an organization plans to transfer UK residents’ personal data outside of the UK and considers relying on the transfer mechanism of article 46 of the UK General Data Protection Regulation (UK GDPR), i.e., “transfers subject to appropriate safeguards”, it must carry out a TRA.
As a reminder, “appropriate safeguards”, as mentioned in article 46 of the UK GDPR, include the ICO’s International Data Transfer Agreement (IDTA), the IDTA Addendum to the EU SCCs, and Binding Corporate Rules (BCRs). The goal of the TRA is to “help [the organization] consider whether, in the circumstances of the transfer and with [its] chosen Article 46 transfer mechanism in place, the relevant protections for people under the UK data protection regime will be undermined 1 .”
It is to be noted that an organization making a transfer to any country covered by UK adequacy regulations or covered by an exemption (i.e., emergency situation, someone’s life, physical or mental health or wellbeing is at serious risk, and they cannot obtain the consent of the person the data to be transferred is about, because they are unable to give their consent) is not obliged to carry out a TRA.
The ICO specifies that there are two approaches to conducting a TRA: (1) adopting the ICO’s approach in its TRA tool, or (2) follow the approach taken by the EDPB. The ICO’s TRA tool is effectively a template document with six questions and guidance on how to complete the TRA, whereas the EDPB approach takes the form of an assessment where the laws and practices of the exporting country are compared to the laws and practices of the importing country in order to assess the risks.
At the Law Office of S. Grynwajc, we assist companies in complying with international privacy laws and regulations. If you need help with your compliance with UK data protection law in connection with your international data transfers to the US, please contact us. Our privacy lawyers are admitted in both the UK and the US.
“Transfer Risk Assessments”, Information Commissioner’s Office, online: < https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/transfer-risk-assessments/ >.