The ICO’s new Transfer Risk Assessment tool and guidance
The ICO’s new Transfer Risk Assessment tool and guidance
Overview
Following the Schrems II judgment, controllers intending to make a restricted transfer under Article 46 of UK GDPR are required to carry out a Transfer Risk Assessment (TRA). This process accompanies a transfer tool and helps controllers understand, assess and mitigate transfer-related risks. The aim is to ensure that the data protection safeguards under the UK regime will be maintained after the transfer.
Further to the draft guidance issued in August 2021, the UK’s Information Commissioners Office (ICO) has now finalised and published the long-awaited TRA guidance together with an accompanying assessment tool. Broadly, the ICO puts forward two broad options for carrying out a TRA:
TRAs Option 1
This is the ICO’s approach to TRAs; comparing the position of data subjects and the risks to their rights between the information remaining in the UK opposed to the transfer going ahead. This approach has been embedded in the ICO’s new TRA tool.
TRAs Option 2
This follows the approach taken by the European Data Protection Board (EDPB) and focuses on the comparison of the laws and practices of the UK to those of the importer’s jurisdiction. This exercise involves looking into how similar data protection safeguards are to the UK regime and, in particular, issues surrounding third-party access, especially governments.
Why is this significant and what does it mean for me?
When carrying out an international transfer to a non-adequate jurisdiction, it is mandatory to conduct a TRA. This requirement applies whether you are relying on the International Data Transfer Agreement (IDTA), the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (the Addendum) or Binding Corporate Rules (BCRs).
In light of the TRA findings, you may have to consider implementing supplementary measures such as encryption to protect the data. Alternatively, you may have to conduct a more in-depth assessment or suspend the transfer altogether due to the high risks identified.
For more information on this matter and how the new approach differs from the one taken in the old draft guidance, you can read this article.
If you have any queries or would like further information, please visit our data protection services section or Christopher Beveridge.