Latest updates - 06 December 2023
We have updated this guidance to makes clear that analysis produced by the UK Government when making adequacy regulations for the UK Extension to EU-US Data Privacy Framework can be relied on when conducting a TRA for a restricted transfer to the US. The update can be found under the ‘What is a transfer risk assessment (TRA)?'
UK GDPR contains rules about transfers of personal data to receivers located outside the UK, which we refer to as restricted transfers.
One way to comply with UK GDPR rules on restricted transfers is to put in place an Article 46 transfer mechanism. These are the “appropriate safeguards” listed in Article 46 of the UK GDPR. Examples are the ICO’s International Data Transfer Agreement (IDTA), the Addendum to the EU SCCs (the Addendum) and Binding Corporate Rules (BCRs).
If you are relying on an Article 46 transfer mechanism you must carry out a transfer risk assessment. This risk assessment will help you consider whether, in the circumstances of the transfer and with your chosen Article 46 transfer mechanism in place, the relevant protections for people under the UK data protection regime will be undermined.
Understanding and assessing risk is embedded into UK GDPR. When you decide what measures to put in place to comply with UK GDPR, you must take into account “risks of varying likelihood and severity for the rights and freedoms of natural persons” (Article 24).
The Schrems II judgment confirmed the role of risk assessments in the rules on restricted transfers. The Court said that before you may rely on an Article 46 transfer mechanism to make a restricted transfer, you must carry out a risk assessment. This is therefore a requirement under UK data protection laws.
How and when to use this guidance
This guidance is relevant to you, if you are:
- making a restricted transfer of personal data; and
- using one of the Article 46 transfer mechanisms, such as the IDTA, the Addendum or BCRs.
This guidance will help you to understand when and how to carry out a transfer risk assessment (TRA).
What is a transfer risk assessment (TRA)?
Carrying out a TRA helps you ensure that, in the specific circumstances of your restricted transfer, the Article 46 transfer mechanism will provide appropriate safeguards, and effective and enforceable rights for people.
There are two broad types of risk you must consider in your TRA:
- Risks to people’s rights arising in the destination country from third parties accessing the information that are not bound by the Article 46 transfer mechanism, in particular government and public bodies.
- Risks to people’s rights arising from difficulties enforcing the Article 46 transfer mechanism.
There are three approaches to conducting a TRA, in particular for the first set of risks:
- Option 1: This is the ICO’s approach in our TRA tool.
An assessment comparing the position of the people that the data is about, in the specific circumstances of the transfer:
a) if the information remains in the UK; and
b) if the proposed transfer goes ahead.
This assessment looks at the risks to people’s rights.
The key question is whether, as a result of the transfer, there is any increase in the risk to people’s privacy and other human rights, compared with the risk if the information remains in the UK.
In other words, once their information is in the receiver’s hands, are people in a sufficiently similar position about any risks to their data privacy and human rights? If there is no significant additional risk, then the transfer may go ahead.
As the receiver is contractually bound to comply with the data protection rights in the Article 46 transfer mechanism, the main focus of this assessment is on the protection of human rights more generally in the destination country. Any risks about the enforceability of the Article 46 transfer mechanism are also considered.
This approach is taken in our TRA tool. This sets out one way to carry out a TRA, with questions, guidance and a template to complete.
- Option 2: This is the approach taken by EDPB.
An assessment where the laws and practices of the UK (including the UK GDPR) are compared to the laws and practices of the importing country in order to assess the risks outlined above.
This involves looking at the safeguards in place about third party access to the information, in particular by governments. Those safeguards do not need to be identical to those in the UK, but must be sufficiently similar.
- Option 3: This is the approach if you wish to rely on published UK Government analysis produced for making adequacy regulations for a particular sector in a country or territory, including a third country certification scheme.
Under Section 17A DPA 2018, the Secretary of State may make adequacy regulations (also known as data bridges). These allow the free flow of personal data to a third country or territory, or an international organisation, or a particular sector in a country or territory, if they consider that it provides an adequate level of protection for personal data. Article 45 UK GDPR lists the matters which the Secretary of State must consider when making this adequacy assessment.
An adequacy assessment must be reviewed and updated by the Secretary of State at intervals of no more than four years in accordance with section 17B DPA 2018.
An adequacy assessment under Article 45, whether made for the purposes of section 17A or 17B, includes an assessment of the risks outlined in option 1 and option 2 above.
Where adequacy regulations are for a particular sector or certification scheme in a third country, the adequacy assessment may cover third country protections for people in the UK, which also apply to information received under an Article 46 transfer mechanism.
In that case, we consider that it is reasonable and proportionate for you, for the purposes of your TRA, to rely on a UK Government published assessment made under Article 45.
Currently, the only relevant published assessment is the Department for Science, Innovation and Technology’s Analysis of the UK Extension to the EU-US Data Privacy Framework (the DSIT analysis).
If you are making restricted transfers to the US relying on an Article 46 transfer mechanism you may rely on the DSIT Analysis for the purpose of your TRA. You should refer to our detailed guidance on completing a Transfer risk assessment when transferring personal data to the US using an Article 46 transfer mechanism.
Importantly, we are content for you to carry out a transfer risk assessment that meets option 1, option 2, or option 3 when you make restricted transfers under an Article 46 transfer mechanism.
When should we carry out a TRA?
You need to carry out a TRA if you are making a restricted transfer and you wish to rely on one of the Article 46 transfer mechanisms, such as the IDTA, Addendum or BCRs.
You do not need to carry out a TRA if you are making a transfer to any country covered by UK adequacy regulations or if the transfer is covered by one of the exceptions.
If you are a controller, and your processor is making the restricted transfer, only the processor must complete the TRA. Please see our guidance on International Transfers to determine whether it is the controller or processor that is responsible for making a restricted transfer.
In that situation, you must still carry out reasonable and proportionate checks about whether the processor’s restricted transfers are compliant with UK GDPR, including its obligation to carry out a TRA. This is part of your obligation to ensure your processor provides you with “sufficient guarantees” in Art 28 UK GDPR. You may also need this to assist you in demonstrating you have a lawful basis under Article 6 UK GDPR for processing carried out by the processor on your behalf.
If the receiver is sending the data to third parties you must look at how this complies with the IDTA, Addendum, BCR or other Article 46 transfer mechanism you are using.
For example, if you are using the IDTA, the receiver may put in place an agreement which maintains the level of protection of the IDTA, or use another Art 46 transfer mechanism. Either you must carry out a TRA for this onward transfer, or the receiver must carry out the TRA and provide you with sufficient reassurance that it has done so in compliance with the requirements of the IDTA.
If you are making a series of connected, repeated or similar restricted transfers, you can carry out a TRA for each restricted transfer or one TRA that covers all of them.
If your Article 46 transfer mechanism covers repeated restricted transfers or an ongoing flow of restricted transfers to your receiver, you must regularly reassess the level of protection the Article 46 transfer mechanism provides (and any extra steps and extra protections you took alongside it).
You must ensure that the level of protection does not decrease over time. You need to regularly consider whether the level of protection may be undermined by:
- changes to the processing by the receiver;
- changes to the legal framework in the destination country; or
- technical developments making it easier to by-pass security arrangements.
What is the scope of a TRA?
Whatever type of risk assessment you carry out, its scope must be reasonable and proportionate. This should take into consideration the risk to people inherent in the data being transferred, the amount of data being transferred, and the size of the controller or processor making the restricted transfer, and so the resources available to it.
Our TRA tool includes further guidance about how to approach this.
The ICO’s TRA tool
The ICO’s TRA tool is a template document with questions and guidance, that sets out one way to carry out a TRA.
You do not need to use the TRA tool, but you may still use the questions to guide you through your own TRA.
The questions are:
- Question 1: What are the specific circumstances of the restricted transfer?
- Question 2: What is the level of risk to people in the personal information you are transferring?
- Question 3: What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organisation?
- Question 4: Is the transfer significantly increasing the risk for people of a human rights breach in the destination country?
- Question 5:
(a) Are you satisfied that both you and the people the information is about will be able to enforce the Article 46 transfer mechanism against the importer in the UK?
(b) If enforcement action outside the UK may be needed: Are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country (or elsewhere)?
- Question 6: Do any of the exceptions to the restricted transfer rules apply to the “significant risk data”?
The “significant risk data” is the data you identify in Questions 4 and 5 as data which your Article 46 transfer mechanism does not provide all the appropriate safeguards for.
If by using the TRA tool, you decide that your Article 46 transfer mechanism will not provide appropriate safeguards and effective and enforceable data subject rights for all the personal data, then you must not make the restricted transfer.
You may put in place extra steps and extra protections and work through the TRA tool again. You may seek professional data protection advice to review your assessment.