Skip to main content
Home

Completing a TRA

Contents

In detail

What types of risk should we consider in a TRA?

There are two broad types of risk you should consider in your TRA, in the specific circumstances of your restricted transfer and with your chosen safeguard in place:

  • Risks to people’s rights arising in the destination country from third parties accessing the information when they aren’t bound by the safeguard you put in place. These third parties include government and public bodies.
  • Risks to people’s rights arising from difficulties enforcing the safeguard.

How should we complete a TRA?

There are three approaches to completing a TRA:

  • Option 1: Using the ICO’s TRA tool.
  • Option 2: Using the European Data Protection Board’s (EDPB’s) approach.
  • Option 3: Using the UK government’s published analysis.

You can choose any of these three approaches, but option 3 only applies where the UK government has published its analysis used to make adequacy regulations for a particular territory or sector in a country.

What is the ICO’s TRA tool (option 1)?

Under this approach, you first decide the level of detail you need for your assessment to be reasonable and proportionate.

You then assess and compare the position of the people the transferred information is about in the specific circumstances of the restricted transfer, to the level of detail (as a minimum) you decide you need:

  • if the information remains in the UK; and
  • if the proposed restricted transfer goes ahead.

This is a reasonable and proportionate assessment that looks at the risks to people’s rights. In particular, you’re considering whether there is any increase in the risk to people’s privacy and other human rights in the destination country compared with the risk if the information remains in the UK.

The receiver of the personal information you transfer is contractually required to comply with the data protection rights in the safeguard you put in place. So, the focus of your assessment is on the protection of human rights more generally in the destination country. You should also consider any risks around the enforceability of the safeguard.

Based on your assessment, you must make a reasonable and proportionate decision about whether the level of data protection, including the protection of human rights, for people’s information will be materially lower after you transfer the information.

If you identify no significant additional risk to people, it’s reasonable and proportionate for you to decide that the restricted transfer can go ahead.

This is the approach taken in the ICO’s TRA tool. Our tool offers one way you could complete a TRA, with questions, guidance and a template for you to use.

Further reading – ICO guidance

What is the EDPB’s approach (option 2)?

Under the EDPB’s approach, you assess and compare:

  • the laws and practices of the UK (including the UK GDPR); and
  • the laws and practices of the destination country.

You consider the safeguards in place for third-party access to the information, in particular by governments. The level of protection doesn’t need to be identical to the UK but must not be materially lower.

When you follow the EDPB’s approach for a restricted transfer under the UK GDPR, you decide the level of detail you need for your assessment of the laws and practices in the UK and the other country. You must, as a minimum, choose a level of detail that is reasonable and proportionate to the specific circumstances of your proposed restricted transfer.

You must also ensure that your decision based on that assessment is, as a minimum, reasonable and proportionate to the specific circumstances of your proposed restricted transfer.

If you’ve already completed a transfer impact assessment (TIA) for Article 46 appropriate safeguards under the EU GDPR, you could use this to inform your TRA where the UK GDPR applies.

What is using the government’s published analysis (option 3)?

You can use this approach if you want to rely on the UK government’s published analysis produced for making adequacy regulations for a particular territory or sector in a country.

Adequacy regulations set out which countries (or territories or sectors in a country) or international organisations the UK government has deemed to have an adequate data protection regime to protect personal information. Information can flow freely from the UK to these destinations. UK legislation lists the matters that the UK government must consider when making new adequacy regulations and must continue to monitor on an ongoing basis.

These include:

  • respect for the rule of law and for human rights in the country or by the organisation;
  • the existence, and powers, of an authority responsible for enforcing the protection of people the transferred information is about when personal information is processed in the country or by the organisation;
  • arrangements for judicial or non-judicial redress for people the information is about in connection with such processing; and
  • the constitution, traditions and culture of the country or organisation.

The UK government’s assessment of a particular territory or sector within a country includes consideration of the risks outlined in option 1 and option 2 above. Where adequacy regulations are for a particular territory or sector within a destination country, the UK government’s assessment may cover protections provided by that country for people in the UK, which also apply to information received under a safeguard. In that case, it’s reasonable and proportionate for your TRA and decision to be based solely on a UK government published adequacy assessment. Currently, there is only one relevant published assessment: the Department for Science, Innovation & Technology’s Analysis of the UK Extension to the EU-US Data Privacy Framework (the ‘DSIT analysis’).

If you make restricted transfers to the US relying on appropriate safeguards, you could rely on the DSIT analysis for the purpose of your TRA. You should refer to our detailed guidance on completing a TRA using the UK government’s analysis (US).

Further reading – Department for Science, Innovation & Technology
Department for Science, Innovation & Technology Analysis of the UK Extension to the EU-US Data Privacy Framework

Who is responsible for completing the TRA?

You must complete a TRA if you:

  • initiate a restricted transfer; and
  • intend to rely on appropriate safeguards to make the transfer.

This applies whether you’re a controller or a processor. For further information, see Step two: Are we initiating the transfer of personal information to an organisation outside the UK?.

You don’t need to complete a TRA if you’re making a restricted transfer and you’re relying on:

  • UK adequacy regulations; or
  • one of the exceptions.

If you’re a controller but your processor is initiating the restricted transfer, only the processor must complete the TRA. This is because the processor is responsible for complying with the UK GDPR transfer rules for restricted transfers they initiate. For example, this applies if your processor contracts with a sub-processor located outside the UK.

In this situation, you, as the controller, must still make reasonable and proportionate checks on whether the processor’s restricted transfers comply with the UK GDPR, including the requirement to complete a TRA. This is part of your obligation to ensure your processor provides you with “sufficient guarantees” in line with Article 28 of the UK GDPR. For further information, see What are our other key responsibilities if we’re a controller in relation to restricted transfers?.

If you’re a processor sending information to a recipient outside the UK, and this has been initiated by your controller, you’re not responsible for complying with the UK GDPR transfer rules. In this situation, if the UK GDPR applies to the controller, the restricted transfer takes place between your controller and the recipient. Your controller is responsible for complying with the UK GDPR transfer rules, even if the information flows directly from your organisation.

What level of detail do we need for a TRA?

Whichever approach you choose, you must ensure that the scope of your TRA is reasonable and proportionate.

Acting reasonably and proportionately refers to:

  • the level of detail you decide is necessary for your assessment; and
  • the decision you reach based on that assessment.

We've set out what this looks like in each option.

Is a TRA required for onward transfers?

You’re not legally required to complete a TRA when the receiver of your restricted transfer further transfers the personal information to a third party (an ‘onward transfer’).

When you make your restricted transfer, you should ensure your safeguard includes contractual protections for onward transfers by your receiver. So, what matters most is your risk assessment of the enforceability of your safeguard.

Your receiver must complete a TRA if:

  • the UK GDPR applies to them; and
  • they make a further restricted transfer relying on appropriate safeguards.

Do we need multiple TRAs if we’re making a series of connected, repeated or similar restricted transfers?

If you’re making a series of connected, repeated or similar restricted transfers, you could complete:

  • a TRA for each restricted transfer; or
  • one TRA that covers all of them.

If you complete one TRA that covers all the restricted transfers, you should consider:

  • any differences in the specific circumstances of the restricted transfers; and
  • the impact this has on your assessment.

This includes:

  • any differences in the types of information transferred;
  • the nature of the receiver’s processing of the information; and
  • the status and identity of the receiver (eg if they’re a controller or a processor; or whether they’re professionally regulated)

These considerations can help you determine if it’s practical for you to complete a single TRA to cover all the restricted transfers.

How often do we need to reassess our TRA?

If your appropriate safeguards cover repeated restricted transfers or an ongoing flow of restricted transfers to the same receiver, you must regularly reassess your TRA (and any extra steps and extra protections you took as part of it).

You must ensure the level of protection doesn’t decrease over time. You should consider whether the level of protection is lowered by:

  • changes to the receiver’s processing;
  • technical developments making it easier to bypass security arrangements.
  • changes to the legal framework in the destination country; or

Unless the information is particularly high risk, an annual check is proportionate for most ongoing restricted transfers.