On 17 November, the ICO published its long-awaited new guidance and resources on international data transfers. Key changes are updates to the ICO’s existing guidance on international transfers to include a new section on transfer risk assessments (TRAs), and an accompanying TRA tool.
We have summarised the key takeaways from the new guidance and TRA tool below.
What does the new ICO guidance say?
Currently, the judgment of the European Court of Justice in the Schrems II case also remains relevant for the UK. This means that, for companies conducting international data transfers under UK GDPR Article 46 mechanisms, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs (UK Addendum), a TRA must be completed in order to assess the risks associated with the transfer and whether any additional safeguards are required.
The ICO has now confirmed that from a UK perspective, organisations can now conduct the TRA using either:
- the approach set out by the ICO in its TRA tool (explained further below); or
- the approach taken by the European Data Protection Board (EDPB) in its Recommendation on supplementary measures, focusing on a comparison between the laws and practices of the UK versus the importing country in order to assess the risks to data subjects in each case.
The ICO has confirmed that from a UK perspective either approach is acceptable, giving organisations more flexibility as to how they conduct their TRAs for restricted transfers from the UK.
The ICO guidance also confirms that for controllers whose processors are making the restricted transfer (e.g. to a sub-processor), only the processor needs to complete the TRA. However, the controller must still carry out “reasonable and proportionate checks” to ensure the processor is complying with its UK GDPR obligations in relation to restricted transfers, including the obligation to carry out a TRA.
What is the approach taken by the ICO in its TRA tool?
The ICO’s TRA tool is a template document with questions and guidance, that sets out one way to carry out a TRA. It is not mandatory to use the TRA tool, but organisations can still use the questions to guide them through their own TRA.
The intention is for the ICO’s TRA tool to provide an alternative approach to the one put forward by the EDPB. The ICO has stated that its aim is to find an “alternative, achievable” approach that delivers a high level of protection for data subjects, while still ensuring that the assessment remains “reasonable and proportionate”. Accordingly, the central focus of the assessment in the TRA tool is on whether, as a result of the transfer, there is any increase in the risk to people’s privacy and other human rights, compared with the risk if the information remains in the UK; the ICO considers that this captures the key risk to the individuals the data relates to, while still being achievable. With respect to the scope of the TRA, what is “reasonable and proportionate” will depend on the circumstances, and should take into consideration the risk to people inherent in the data being transferred, the amount of data being transferred, and the size of the controller making the restricted transfer (and accordingly the resources available to it). The TRA tool contains further guidance on how to approach this.
The approach set out in the tool is based around six questions, and includes “decision points” that aim to assist in assessing the level of risk as an organisation progresses through the assessment. In addition, the tool includes an Appendix which includes a list of common categories of personal data together with an initial risk score for each, as well as examples of extra steps and protections that organisations can consider putting in place to support their assessment.
As mentioned above, organisations do not have to use the TRA tool, and the ICO has confirmed that the six-step approach previously outlined by the EDPB in its Recommendation on supplementary measures is also acceptable. Therefore, in practice, organisations engaging in restricted transfers under both the GDPR and the UK GDPR may wish to continue following the approach outlined by the EDPB in respect of restricted transfers from the UK, rather than taking different approaches for restricted EEA and UK transfers, although the guidance provided by the ICO in the TRA tool may still be helpful for the purposes of assessing restricted transfers from the UK.
What’s coming next?
In addition to the new guidance on international transfers and the TRA tool, the ICO has confirmed that it is also working on new guidance explaining how to use the IDTA and UK Addendum (including clause-by-clause guidance), although the ICO has not confirmed a date for this yet. In addition, the ICO is considering extending the current TRA guidance to include practical worked examples. The ICO has also stated that it remains keen to hear organisations’ experiences of using the current guidance and TRA tool, and plans to hold sessions during 2023 to seek feedback from organisations with a view to continuously improving its products.