What’s a transfer risk assessment (TRA)?

In detail

• When do we need to complete a TRA?
• Does the TRA apply to part 3 of the DPA?
• What if we completed a TRA for a restricted transfer before the DUAA came into effect?
• What if our safeguard does not provide the required level of protection?

When do we need to complete a TRA?

The UK GDPR contains rules about transfers of personal information to separate organisations located outside the UK. We refer to a transfer of personal information under these rules as a ‘restricted transfer’.

When you make a restricted transfer, you must ensure that the transfer is covered by:

• UK adequacy regulations;
• appropriate safeguards; or
• an exception (called a “derogation” in the legislation).

If you decide to use appropriate safeguards, you must use one of the safeguards listed in Article 46 of the UK GDPR.

If you plan to use one of the safeguards, you must first complete a TRA to make sure that the standard of protection for people’s information is “not materially lower” after you transfer it.

Your chosen safeguard becomes “appropriate safeguards” when:

• you have completed a TRA;
• you have taken any extra technical and organisational steps and put in place any extra protections identified by your TRA; and
• the safeguard, including any extra contract clauses identified by the TRA, has been executed so it legally binds the parties to the safeguard.

Does the TRA apply to part 3 of the DPA?

If you’re processing information for law enforcement purposes under part 3 of the DPA, this detailed guidance may help you complete a TRA in your particular circumstances. However, the guidance was not written for this purpose.

We have separate guidance on international transfers in our Guide to law enforcement processing.

What if we completed a TRA for a restricted transfer before the Data (Use and Access) Act came into effect?

With the introduction of the Data (Use and Access) Act (DUAA), a TRA is now referred to in UK legislation as a “data protection test”.

To meet the data protection test, you must decide, acting reasonably and proportionately, that the standard of protection for people’s information is not materially lower than in the UK after you transfer it.

If you completed a TRA following our guidance before the DUAA came into effect, and you concluded that the level of protection was sufficient, you’ve met the data protection test. The principle is the same: you must ensure that the standard of protection for people is not undermined after you transfer their personal information.

We still use the term ‘transfer risk assessment’ and TRA in our guidance, but we have updated our TRA guidance to match the new wording of the data protection test.

What if our safeguard does not provide the required level of protection?

You must not make the restricted transfer relying on your safeguard if you:

• complete a TRA and decide that your chosen safeguard doesn’t provide enough protection for any of the information you want to transfer; and
• can't take extra steps or put in place extra protections.

In that situation, you could rely on an exception or decide not to transfer the information.

Also, you must not make the restricted transfer relying on your safeguard if you:

• complete a TRA and decide that your chosen safeguard doesn’t provide enough protection for some but not all of the information you want to transfer; and
• can’t take extra steps or put in place extra protections.

In that situation, you could:

• for the information that is sufficiently protected, make the restricted transfer relying on your chosen safeguard (with any extra steps and protections); and
• for the information that is not sufficiently protected, rely on an exception or decide not to transfer that information.