On 17 November 2022, the ICO revised its guidance on international transfers, created a new section on transfer risk assessments (TRA) and released a new TRA tool.  The new TRA tool can be used to undertake a transfer risk assessment, which is required where there's a restricted transfer of data outside the UK (not covered by UK "adequacy regulations") that relies upon an "appropriate safeguards" mechanism in Article 46 of the UK GDPR, such as standard contractual clauses.  

The ICO's proportionate, risk-based approach to TRAs is welcome and organisations, particularly those with an exclusively UK focus, may now choose to follow the ICO's approach over that of the European Data Protection Board (EDPB).

What's the reason for carrying out a transfer risk assessment?

Following the Schrems II decision in 2020 (which now forms part of English law), in order to rely on an "appropriate safeguards" mechanism, you need to be satisfied that the effectiveness of that mechanism (i.e. to protect the rights of data subjects) is not undermined in the destination country.  This means undertaking a TRA.

What about existing TRA templates – can we continue to use those?

Many organisations will already have built their TRA process on the basis of the EDPB's six-stage process for transfer risk assessments (see here).  The ICO's blog announcing the new guidance is clear that its new TRA tool is optional and comprises an "alternative approach" to the one put forward by the EDPB.  Indeed, organisations that are also subject to the EU GDPR are likely to continue to follow the EDPB's approach so as to take a uniform approach to transfer risk assessments across the organisation.  The ICO also acknowledges that organisations can follow an entirely different assessment format to the one proposed by the tool, provided that a record of the assessment is retained.

What does the new TRA tool seek to achieve?

The TRA tool divides the assessment process into six questions, with tick box tables for each question and an annex with indicative risk scoring for various categories of data.  

The six questions from the ICO's TRA tool


  1. What are the specific circumstances of the restricted transfer?
  2. What is the level of risk to people in the personal information you are transferring?
  3. What is a reasonable and proportionate level of investigation, given the risk level in the personal information and the nature of your organisation?
  4. Is the transfer significantly increasing the risk for people of a human rights breach in the destination country?
  5. (a) Are you satisfied that both you and the people the information is about will be able to enforce the Article 46 transfer mechanism against the importer in the UK?

(b) If enforcement action outside the UK is needed: are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country (or elsewhere)?

  1. Do any of the exceptions to the restricted transfer rules apply to the "significant risk data" you have identified (i.e. in Questions 4 and 5 as data which your Article 46 transfer mechanism does not provide all the appropriate safeguards for)?

The ICO has stated that it aims to deliver an assessment that is "reasonable and proportionate" and the TRA tool appears potentially to offer a more flexible and risk-based approach than the EDPB alternative.  The third stage of the EDPB's approach, which involves an assessment of the laws and practices of the destination territory, looking in particular at the safeguards around third party (particularly government) access to the information, can be complex and burdensome for businesses to implement.  The ICO's tool shifts the focus; it focuses on the protection of human rights in the destination country and looks at whether, as a result of the transfer, there is any significant increase in the risk to people’s privacy and other human rights, compared with the risk if the information remains in the UK.  Only time will tell if the ICO's approach is more straightforward to implement in practice, particularly for more complex arrangements, than the EDPB's approach.

Who is responsible for carrying out the TRA?

The guidance provides helpful clarification that if you are a data controller and it is your processor that is making the restricted transfer (e.g. to a sub-processor), only the processor must complete the TRA.

What's next on the ICO's agenda for international transfers?

The ICO has said that it will now turn its attention to producing clause-by-clause guidance for the IDTA and the UK Addendum to the EU SCCs. 


Read Dan Reavill Profile
Dan Reavill
Read Helen Reddish Profile
Helen Reddish
Back To Top