ICO releases updated guidance on Transfer Risk Assessments and a Transfer Risk Assessment Tool
The Information Commissioner’s Office has updated its guidance on international data transfers to include a section on Transfer Risk Assessments (TRAs) and a Transfer Risk Assessment Tool (TRA Tool).
Following the Schrems II ruling, organisations that intend to make a restricted transfer of personal data from the UK relying on one of the Article 46 GDPR transfer mechanisms (such as the International Data Transfer Agreement, the Addendum to the EU Standard Contractual Clauses or Binding Corporate Rules) are expected to undertake a TRA. A TRA is essentially a form of risk assessment to consider whether, having regard to the specific circumstances of the transfer, the legal protection for people under the UK’s data protection regime will be undermined in the country where the data is to be transferred.
The Guidance
The ICO states that the updated guidance offers an alternative approach to the one put forward by the European Data Protection Board (EDPB) and aims to deliver the right protection for data subjects while ensuring that any assessment is ‘reasonable and proportionate’. The ICO’s approach focusses more on comparing the position of the people that the data is about whereas the EDPB’s approach compares the laws and practices of the UK with those of the importing country.
Notably, the ICO has advised that where the processor is the party making the restricted transfer, only the processor must complete the TRA. The controller must, however, carry out “reasonable and proportionate checks” about whether the processor’s restricted transfers comply with the UK GDPR.
Supplementing this guidance, the new, optional TRA Tool has also been introduced, consisting of six questions as well as guidance and tables to make it as user-friendly for organisations as possible. The TRA Tool provides an initial risk level for data categories and focuses on whether the transfer significantly increases the risk of any privacy or human rights breach.
The TRA Tool contains six questions, with an annex outlining the likely level of risk posed by different types of data scored low to high. Although organisations are not obliged to use the TRA Tool, its aim to make compliance more achievable may make it attractive.
Next Steps
The ICO has also announced that it is working on guidance showing how to use the International Data Transfer Agreement and the Addendum to the EU Standard Contractual Clauses with specific clause-clause-guidance, which is certainly something to look out for in light of the recent introduction of these two transfer mechanisms.
You can read the ICO’s blog post here and its guidance on TRAs here. You can also access the TRA Tool here.
Should you require advice and assistance with international transfer of personal data, please contact our Data Protection and Cyber Security team.
This article was co-written by Ussamah Nasar, Trainee Solicitor.