The Information Commissioner’s Office (“ICO”) has updated its guidance on international transfers of personal data (the “Guidance”), specifically providing further detail on Transfer Risk Assessments (“TRA”). The ICO has also released a TRA tool which an organisation can use to carry out TRAs.
The Guidance and the TRA tool will allow businesses to undertake reasonable assessments of the risk involved in restricted transfers made pursuant to appropriate safeguards. This demonstrates the direction which the ICO intends to take following Brexit, which is creating a more business friendly data protection regime.
The Guidance and the TRA tool now provide a simpler and risk-based alternative to the European Data Protection Board (EDPB) recommendations. To assist with the assessment, the TRA tool helpfully contains links to external resources which organisations may use to make their assessments.
The format of the TRA tool may also be preferred by many organisations since it splits the assessment into six questions and provides an easier structure to record findings.
Organisation may use the EDPB recommendations or the TRA tool to carry out the TRAs.
Under the UK and EU GDPR, restricted transfers (i.e., transfers to any country or territory outside the UK and EEA, as relevant) can be only be made in limited situations.
One such situation is using an approved data transfer agreement such as the European Commission’s Standard Contractual Clauses (“EU SCCs”) or the ICO’s International Data Transfer Agreement (the “IDTA”) or, the Addendum to the EU SCCs European (the ” UK Addendum”).
For information on the latest updates on these documents including important dates, please see here.
CJEU’s decision in the Schrems II case in July 2020 applies in the UK as it was handed down pre-Brexit. As per this decision, when data is being transferred to a third country using an appropriate safeguard, additional measures may need to be put in place.
This means that when relying on the IDTA or the EU SCCs (with or without the UK Addendum), carrying out a transfer risk assessment is a legal requirement. The TRA will allow the parties to assess whether the safeguard used to cover the transfer, will actually provide adequate protection to the data transferred and whether any supplementary measures must be put in place.
If using the IDTA, the data exporter undertakes the TRA and provides copy to Importer on request, however, under the EU SCCs, both parties will undertake this. The Guidance expands on this further and covers various scenarios where an organisation may need to make a restricted transfers e.g. where a series of connected, repeated or similar restricted transfers may be made.
The Guidance and the TRA tool provide an alternative to the current European Data Protection Board (“EDPB”) recommendations, which parties may have been using to date to comply with the legal requirement of undertaking a TRA.
TRAs based on these recommendations involve looking at the applicable legislation and practices of third parties that may access the transferred data (e.g. the surveillance powers of the public bodies and law enforcement agencies) in the recipient country to assess whether the chosen safeguard can actually ensure the effective protection of the personal data transferred, or if such legalisation and practices may impact the effectiveness or enforceability of the safeguard used, in the context of the specific transfer.
The EDPB recommendations were the only official guidelines available for quite some time after the Schrems II decision, and so many organisations making transfers subject to UK and EU GDPR were relying on this to undertake their TRAs.
We would recommend using the ICO TRA tool when carrying out UK restricted transfers as it is simpler and more user friendly than the EDPB equivalent.
You can register online or follow us on Twitter or LinkedIn to receive our latest news, events and publications.