On 17 November 2022, the UK Information Commissioner’s Office issued updated guidance on international personal data transfers. The guidance is to be used for transfers of personal data from the UK to third countries. The ICO added a template transfer risk assessment (TRA) to the guidance, which is required when organisations rely on a transfer tool under Article 46 of the UK GDPR, e.g. the ICO’s International Data Transfer Agreement (the UK version of the EU SCCs); the Addendum to the EU SCCs, or the Binding Corporate Rules. The requirement to carry out transfer impact assessments stems from Article 46(1) of the UK GDPR, which states that the transfer mechanisms can be used “on condition that enforceable data subject rights and effective legal remedies for data subjects are available” confirmed by the CJEU’s Schrems II judgement.

The ICO’s TRA offers an alternative approach to the EDPB’s transfer impact assessments (TIA), to assist data exporters with carrying out their analysis to check that that protections under the transfer tool are not undermined by the laws and practices of the recipient third country.

How is the ICO’s TRA tool different to EDPB’s TIA?

As the data importer is bound by the terms of the Article 46 transfer mechanism (e.g. the SCCs), the ICO is primarily concerned with the following risks to the rights of data subjects in the destination country:

  • the risk of third parties (e.g., government and public bodies) that are not bound by the Article 46 transfer tool accessing the transferred personal data; and
  • the risk to people’s rights arising from difficulties enforcing the Article 46 transfer mechanism.

The ICO has six questions in its TRA tool. Below is a comparison to the EDBP’s six step TIA approach.

The ICO will continue to recognise risk assessments which follow the EDPB approach, but it has provided an alternative method to TIAs. First, the TRA offers to rate the level of risk in the personal data subject to transfer based on the nature and volume of the personal data. The ICO offers a sample list of personal data categories with prescribed levels of risk based on its assessment (e.g., name is a “low” risk, whereas gender is “high” risk).

The ICO also focuses on whether the transfer of personal data from the UK will lead to any increase in the risk to people’s human rights. The question ICO asks the data exporter to answer in the TRA, “Are people in a sufficiently similar position about any risks to their data privacy and human rights?” The ICO suggests technical measures to protect personal data that range from password protection and staff training to the more familiar measures recommended by the EDPB, such as encryption and pseudonymisation.

Who is responsible for carrying out a TRA?

The ICO clarified who is responsible to carry out TRAs as follows:

“If you are a controller, and your processor is making the restricted transfer, only the processor must complete the TRA.”

“If you are a processor, it is never a restricted transfer when you send or return data to your controller (provided it is your controller of that same data).

This data flow is the responsibility of the controller, as it must always have been initiated and agreed by them, probably in your processor agreement. This means it cannot be a restricted transfer as it would be a transfer within the same legal entity (i.e. from the controller back to the same controller).

You are responsible for complying with the transfer rules if you have initiated and agreed to the data flow, usually to your sub-processors.”

The EDPB, in contrast, does not specify who should carry out the transfer impact assessment, except that it should be a data exporter (a controller or a processor) in collaboration with the data importer, where appropriate.

Comment

The ICO’s approach shifts the analysis of Article 46 requirement to a risk based assessment of the individual transfer, rather than assessing whether the laws/practices of the third country provide an essentially equivalent protection of personal data transferred as set out in the EDPB’s recommendations.

The ICO’s TRA is limited to transfers from the UK. Organisations in the UK are likely to embrace the ICO’s TRA tool, especially if they are small to medium organisations, as it may be less cumbersome than completing transfer impact assessments in each instance.

Organisations which transfer from both the UK and EU may wish to continue following the EDPB’s approach so that there is a uniform approach to the transfer impact assessments. Please get in touch if you have questions regarding the ICO’s TRA or the EDPB’s TIA.