New Transfer Risk Assessment guidance and tool: the ICO offers an updated approach

Further to the draft guidance issued in August 2021, the UK’s Information Commissioners Office (ICO) has now finalised and published the long-awaited transfer risk assessment (TRA) guidance together with an accompanying assessment tool.

For context, following the Schrems II judgment, controllers intending to make a restricted transfer under Article 46 of UK GDPR are required to carry out a TRA. This process aims to help controllers to understand, assess and mitigate transfer-related risks with a view to ensuring that the data protection safeguards under the UK regime will be maintained after the transfer. The TRA is required regardless of whether you are relying on the International Data Transfer Agreement (IDTA), the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (the Addendum) or Binding Corporate Rules (BCRs). Below we discuss a few key takeaways:

 

How should you approach a Transfer Risk Assessment (TRA)?

The ICO suggests two broad options for carrying out a TRA:

• Option 1, which is the ICO’s approach to TRAs, compares the position of data subjects and the risks to their rights between the information remaining in the UK opposed to the transfer going ahead. This is the approach that has been embedded in the ICO’s new TRA tool.
• Option 2 follows the approach taken by the European Data Protection Board (EDPB) and focuses on the comparison of the laws and practices of the UK to those of the importer’s jurisdiction. This exercise involves looking into how similar data protection safeguards are to the UK regime and, in particular, issues surrounding third-party access (especially by governments).

The ICO has stated that it is ‘happy’ with organisations relying on either option. Crucially, the regulator does not mandate that their TRA tool be used in all cases where Option 1 is being pursued; however, it has been suggested that the questions in the tool can still be used to guide controllers’ own TRAs. These are as follows:

• Question 1: What are the specific circumstances of the restricted transfer?
• Question 2: What is the level of risk to people in the personal information you are transferring?
• Question 3: What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organisation?
• Question 4: Is the transfer significantly increasing the risk for people of a human rights breach in the destination country?
• Question 5:
  • Are you satisfied that both you and the people the information is about will be able to enforce the Article 46 transfer mechanism against the importer in the UK?
  • If enforcement action outside the UK may be needed: Are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country (or elsewhere)?
• Question 6: Do any of the exceptions to the restricted transfer rules apply to the ‘significant risk data’?

Where there are a series of transfers that are connected, repeated or similar, controllers may carry out either separate TRAs or one that covers all of them. Where transfers are repeated as opposed to one-off, controllers must regularly reassess the risks (including any supplementary measures/extra protections taken as a result of previous assessments).

The ICO has clarified that where processors are making restricted transfers, they are responsible for carrying out their own TRAs (as opposed to controllers).

However, the ICO expands on this point by requiring controllers to carry out ‘reasonable and proportionate checks’ as part of their obligation to make sure that the processors they have engaged provide ‘sufficient guarantees’ in line with Article 28 of the UK GDPR. At the same time, the ICO suggests that these checks may be necessary to ensure overall compliance with the UK GDPR (including to assist controllers in demonstrating that the relevant lawful basis has been appropriately selected).

Equally, where a data importer is to make onward transfers, the exporter must either carry out a TRA on its own, or the importer must do so and provide the exporter with ‘sufficient reassurance’ that it has carried out the TRA. It should be noted that the ICO does not clarify what ‘sufficient reassurance’ may look like.

 

Are there any notable changes from the previous draft guidance on TRAs?

Perhaps the most noticeable shift from the draft TRA guidance is the absence of a detailed surveillance assessment in the TRA tool. The new template no longer contains a detailed review of the likelihood of third-party access to data (in particular, by the government) and of any relating legal remedies in the destination country. However, this would still be an important consideration in the human rights’ risk assessment, especially having regard to the essence of the right to respect for private life and the right to a fair trial under the European Convention on Human Rights.

While the new TRA tool broadly embeds the concepts and methods set out in the draft TRA guidance, there are other notable changes:

• A refined approach to investigations: the tool introduces a three-level investigation process, with the levels ranging from 1 (relatively high-level) to 3 (more in-depth) investigations. When deciding which level to select, organisations will have to take into account three key factors:
  • The size of the exporting organisation (SME or large business)
  • The risk of harm to the personal data being transferred (low, moderate or high) and
  • The volume of the personal information

  Depending on the level concluded, the TRA provides a number of resources to consider when conducting the investigation. These cover issues such as the destination country’s legal system, respect for the rule of law and human rights record.

• A specific approach to the human rights risk analysis: the TRA tool asks controllers to consider concrete risks to the human rights (as enshrined in the European Convention on Human Rights e.g., the right to respect private and family life and the freedom of expression. This means that exporters will need to consider whether the proposed transfer could exacerbate human rights risks for data subjects by making a breach more likely or increasing its severity if those risks were to materialise.
• A modified enforcement questionnaire: this part looks at the potential obstacles to enforcing the Article 46 transfer mechanism against the importer. More precisely, an assessment of the likelihood of whether the importer will accept a UK Court decision or an arbitral award takes into account factors such as past compliance with adverse judgments and/or awards, the existence of insurance from a reputable insurance provider covering these cases and strong commercial reasons for accepting the judgment and/or award.

The new TRA tool further includes a table of indicative risk scores for some of the most common categories of personal data to assist risk assessment. For instance, personal information such as an address or individual contact details are graded as low-risk, non-biometric photos are graded moderate and information on gender is graded as high-risk. Supplementary measures have also been updated and now include, amongst others, stronger contractual safeguards for cases where the importer receives an access request from a third-party or public authority.
 

What should I do moving forward?

Organisations across the UK will have to make sure that the ICO’s new approach to the TRA is embedded in their data transfer arrangements. In other words, TRAs must accompany and inform each new IDTA or Addendum that controllers intend to put in place (except where an in-depth assessment is more suitable, having regard to the complexities of the proposed transfer). At the same time, organisations might benefit revisiting their existing data transfer arrangements to make sure they are in keeping with the updated requirements.

If you have any queries or would like further information, please visit our data protection services section or Christopher Beveridge.