On 17 November 2022, the ICO revised its guidance on international transfers, created a new section on transfer risk assessments (TRA) and released a new TRA tool. The new TRA tool can be used to undertake a transfer risk assessment, which is required where there's a restricted transfer of data outside the UK (not covered by UK "adequacy regulations") that relies upon an "appropriate safeguards" mechanism in Article 46 of the UK GDPR, such as standard contractual clauses.
The ICO's proportionate, risk-based approach to TRAs is welcome and organisations, particularly those with an exclusively UK focus, may now choose to follow the ICO's approach over that of the European Data Protection Board (EDPB).
What's the reason for carrying out a transfer risk assessment?
Following the Schrems II decision in 2020 (which now forms part of English law), in order to rely on an "appropriate safeguards" mechanism, you need to be satisfied that the effectiveness of that mechanism (i.e. to protect the rights of data subjects) is not undermined in the destination country. This means undertaking a TRA.
What about existing TRA templates – can we continue to use those?
Many organisations will already have built their TRA process on the basis of the EDPB's six-stage process for transfer risk assessments (see here). The ICO's blog announcing the new guidance is clear that its new TRA tool is optional and comprises an "alternative approach" to the one put forward by the EDPB. Indeed, organisations that are also subject to the EU GDPR are likely to continue to follow the EDPB's approach so as to take a uniform approach to transfer risk assessments across the organisation. The ICO also acknowledges that organisations can follow an entirely different assessment format to the one proposed by the tool, provided that a record of the assessment is retained.
What does the new TRA tool seek to achieve?
The TRA tool divides the assessment process into six questions, with tick box tables for each question and an annex with indicative risk scoring for various categories of data.
The six questions from the ICO's TRA tool
- What are the specific circumstances of the restricted transfer?
- What is the level of risk to people in the personal information you are transferring?
- What is a reasonable and proportionate level of investigation, given the risk level in the personal information and the nature of your organisation?
- Is the transfer significantly increasing the risk for people of a human rights breach in the destination country?
- (a) Are you satisfied that both you and the people the information is about will be able to enforce the Article 46 transfer mechanism against the importer in the UK?
(b) If enforcement action outside the UK is needed: are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country (or elsewhere)?
- Do any of the exceptions to the restricted transfer rules apply to the "significant risk data" you have identified (i.e. in Questions 4 and 5 as data which your Article 46 transfer mechanism does not provide all the appropriate safeguards for)?