The Information Commissioner's Office ("ICO") has revealed a revised guidance on international data transfers, including a new section on transfer risk assessments ("TRA") and a TRA tool.
The UK GDPR contains rules about transfers of personal data to importers located outside the UK, which are referred to as restricted transfers. One way to comply with the UK GDPR rules on restricted transfers is to implement an Article 46 transfer mechanism. These are the so-called appropriate safeguards and examples include the ICO's International Data Transfer Agreement ("IDTA"), the Addendum to the EU SCCs (the "Addendum") and Binding Corporate Rules ("UK BCRs").
The implementation of a TRA helps organisations ensure that, in specific circumstances of restricted transfers, the Article 46 transfer mechanism will provide adequate protections as well as effective and enforceable rights for people.
Alternative EDBD framework for international data transfers
As a result of the ruling in Schrems II which confirmed the role of risk assessments in the regulations on restricted transfers, the ICO requires TRAs to be implemented by companies intending to make a restricted transfer of personal data from the UK and to assist UK data exporters to make reasonable and proportionate TRAs in order to guarantee that appropriate protection is afforded to data subjects.
For instance, carrying out a risk assessment to confirm whether the personal data established by the UK data protection regime will be upheld in the jurisdiction where the data importer is located. Such analysis being in addition to implementing a legally enforceable data transfer safeguarding mechanism for data subjects under Article 46 of the UK GDPR (which includes using IDTAs or UK BCRs).
New TRA tool
The newly announced TRA tool is a template document comprised of six questions and provides direction to assist UK data exporters reach a preliminary risk level valuation for the relevant categories of data, and to determine whether the circumstances of their data transfer significantly increases the risk of either a privacy or other human rights breach.
If by using the TRA tool, an organisation finds that its Article 46 transfer mechanism will not provide appropriate safeguards and effective and enforceable data subject rights for all the personal data, then it must not make the restricted transfer. The tool accordingly also helps identify any additional steps and extra protections that need to be implemented in order for the overall international transfer mechanism to be compliant.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.