The Information Commissioner’s Office (“ICO”) has revealed a revised guidance on international data transfers, including a new section on transfer risk assessments (“TRA”) and a TRA tool.
The UK GDPR contains rules about transfers of personal data to importers located outside the UK, which are referred to as restricted transfers. One way to comply with the UK GDPR rules on restricted transfers is to implement an Article 46 transfer mechanism. These are the so-called appropriate safeguards and examples include the ICO’s International Data Transfer Agreement (“IDTA”), the Addendum to the EU SCCs (the “Addendum”) and Binding Corporate Rules (“UK BCRs”).
The implementation of a TRA helps organisations ensure that, in specific circumstances of restricted transfers, the Article 46 transfer mechanism will provide adequate protections as well as effective and enforceable rights for people.
Alternative EDBD framework for international data transfers
As a result of the ruling in Schrems II which confirmed the role of risk assessments in the regulations on restricted transfers, the ICO requires TRAs to be implemented by companies intending to make a restricted transfer of personal data from the UK and to assist UK data exporters to make reasonable and proportionate TRAs in order to guarantee that appropriate protection is afforded to data subjects.
For instance, carrying out a risk assessment to confirm whether the personal data established by the UK data protection regime will be upheld in the jurisdiction where the data importer is located. Such analysis being in addition to implementing a legally enforceable data transfer safeguarding mechanism for data subjects under Article 46 of the UK GDPR (which includes using IDTAs or UK BCRs).
New TRA tool
The newly announced TRA tool is a template document comprised of six questions and provides direction to assist UK data exporters reach a preliminary risk level valuation for the relevant categories of data, and to determine whether the circumstances of their data transfer significantly increases the risk of either a privacy or other human rights breach.
If by using the TRA tool, an organisation finds that its Article 46 transfer mechanism will not provide appropriate safeguards and effective and enforceable data subject rights for all the personal data, then it must not make the restricted transfer. The tool accordingly also helps identify any additional steps and extra protections that need to be implemented in order for the overall international transfer mechanism to be compliant.
Further guidance from the ICO on how to implement IDTAs and the Addendum to the SCCs is expected to be revealed in the coming months.
Please contact Jose Saras and Xavier Prida if you have any questions about international data transfer mechanisms and risk assessments.
The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.