ICO guidance on international transfers and the Transfer Risk Assessment tool
The ICO has recently updated its guidance on international transfers to, amongst other things, include a new section of guidance specifically relating to Transfer Risk Assessments (TRAs) and a tool for conducting the same.
The new section of the guidance covers what a TRA is (a way of assessing if the transfer mechanism you are using will provide appropriate safeguards and effective enforceable rights), when it should be used (whenever you are relying on an Article 46 transfer mechanism) and its scope (reasonable and proportionate) and also sets out the two approaches which can be taken, namely, the use of the ICO transfer tool, or to use the approach taken by the EDPB.
The approach taken by the ICO tool is to consider (in light of the specific circumstances of the transfer) the position of individuals where their data is processed within the UK compared with their position if the transfer takes place.
The ICO identifies that the essential question the risk assessment should answer is if there is any increase in the risk to people’s privacy and other human rights, compared with the risk if the information remains in the UK. The assessment looks generally at the level of protection of human rights in the destination country as well as risks of enforceability of the transfer mechanism.
This approach differs from the EU approach of comparing the laws and practices of the destination country with those of the UK in order to assess the risks of the transfer.
The tool is made up of 6 questions (with a number of sub questions) which are designed for a “straightforward” transfer (one importer in one location), but which can be adapted to more complex situations. The questions relate to:
- The specific circumstances of the transfer (e.g., exporter, receiver, controller/processor etc.)
- The level of risk to people in the data which is being transferred
- The level of investigation required into the destination country
- Whether there is a significant increase in the risk of a human rights breach in the destination country
- The enforceability of the transfer mechanism
- Exceptions to the restricted transfer rules which would permit the transfer
The ICO has added an appendix indicating the initial level of risk that it considers certain types of data present as well as some guidance on extra measures which could be taken to reduce risks identified by the assessment.
It is likely that the approach taken by the ICO will yield different results to the use of the EDPB recommendations in some instances and so care must be taken in deciding which approach to adopt. It will not necessarily follow that using the ICO tool will be appropriate where compliance with EU GDPR is needed.
You can access the full guidance on TRAs and the TRA tool here.
Guidance on the International Data Transfer Agreement is understood to be forthcoming shortly.