The UK General Data Protection Regulations (GDPR) contains guidance and rules regarding transfers of personal data to recipients located outside the UK, these are known as restricted transfers. In order to comply with the GDPR, Article 46 of the GDPR details the “appropriate safeguards” that should be implemented for restricted transfers. Examples of such safeguards are the Information Commissioner’s Office’s (ICO) International Data Transfer Agreement (IDTA), the Addendum to the EU SCCs (the Addendum) and Binding Corporate Rules (BCRs). The ICO, which is the data protection regulator in the UK, have recently shared new guidance on international transfers. The update from November 2022 includes a new section on Transfer Risk Assessments (TRAs) as well as a new TRA tool.
The latest guidance published by the ICO states that any company making a restricted transfer who wishes to rely on Article 46 (transfer mechanisms) such as the IDTA, Addendum or BCRs, needs to carry out a TRA. There is no need to carry out a TRA if the organisation is making a transfer to any country covered by UK adequacy regulations or if the transfer is covered by one of the eight exceptions set out in Article 49 of the UK GDPR. The aim of the TRA is to aid organisations in determining whether the “appropriate protections” for people under the UK data protection law will be eroded. According to the ICO, there are 2 methods in which a company can conduct a TRA. Companies exporting data from the UK can carry out an evaluation using either option. The options as per the ICO website:
Option 1: The ICO’s approach in the TRA tool;
Option 2: The European Data Protection Board’s approach (i.e. an assessment where the laws and practices of the exporting country are compared to the laws and practices of the importing country in order to assess the risks). This involves looking at the safeguards in place about third-party access to the information, in particular by governments.
The new TRA tool consists of a template document with six questions and guidance on how to complete the TRA. Initially, the tool assigns a risk level for various categories of data. The reasoning for the creation of such tools is to focus more on whether the transfer increases the risk of a breach of either privacy or other human rights. The ICO trust that the TRA tool will capture the key risks susceptible to the persons the data is about. However, the use of the tool is not mandatory, you may still use the questions laid out to guide you through your own TRA. You shall not make the restricted transfer if, after using the TRA tool, you determine that the Article 46 transfer mechanism will not provide adequate safeguards and enforceable data subject rights for all personal data subject to the transfer. Should this happen, your organisation should implement additional safeguards and precautions and go through the TRA tool once more. To review your evaluation, you can get expert advice on data protection, HewardMills are happy to assist your company with this assessment.
The ICO has confirmed that it is currently working on guidance showing organisations how to use other “appropriate safeguards” such as the IDTA and the Addendum to the EU Standard Contractual Clauses, which will include clause-by-clause guidance. Once the ICO release this guidance HewardMills will be sure to update you on changes. HewardMills have a number of Data Analysts and Consultants located in the UK who are well placed to advise on any queries that you or your organisation may have following these new updates.