The UK’s ICO has published guidance on international transfers for businesses and organisations which process personal data.
In the aftermath of the publishing of the International Data Transfer Agreement (IDTA) and the Addendum to the European Union Standard Contractual Clauses (SCCs), the ICO has published guidance on international data transfers. This guidance includes a section particularly covering transfer risk assessments. This guidance clarifies a varied approach to the one offered by the EDPB in an effort to find an achievable approach to delivering the right protection to individuals in the UK. To give people a better understanding of how to navigate international transfers, the ICO has also included a transfer risk assessment tool consisting of six questions which would clarify risk levels for various categories of data.
Transfer rules under the UK GDPR are established to protect personal data being transferred to separate entities outside of the UK.
Under the UK GDPR, there are various protective rules applied to transfers of personal data outside of the UK, as any data transferred outside the UK risks the loss of protection of UK data protection law. These protective rules apply when the receiver of the data is legally separate from the sender i.e. the receiver is a controller or processor who is a separate entity from the sender. These rules do not apply if the receiver is an employee of the sender or if the sender and receiver are both part of the same legal entity, for example if they both work for the same organisation. The transfer of personal data to these receivers located outside the UK is regarded as a ‘restricted transfer’. A restricted transfer is being made once you are initiating and agreeing to send personal data, or make it accessible, to a receiver who is located in a country outside the UK, in which case the UK GDPR would apply to this transfer.
The guidance on international transfers from the ICO strongly recommends the use of transfer risk assessments to maintain compliance with the UK GDPR.
The ICO’s guidance on international transfers details “appropriate safeguards” listed in Article 46 of the UK GDPR. These include the ICO’s International Data Transfer Agreement (IDTA), the Addendum to the EU’s Standard Contractual Clauses or SCCs (the Addendum) and the Binding Corporate Rules (BCRs). Carrying out a transfer risk assessment will help determine which of the Article 46 transfer mechanisms can be used in order for the transfers to uphold the UK data protection regime. These measures help maintain compliance with the UK GDPR and protection for the rights and freedoms of natural persons in the UK. As a result, it is imperative that transfer risks assessments are carried out to determine which transfer tool would best satisfy these requirements.