January 28, 2023

Volume XIII, Number 28


January 27, 2023

Subscribe to Latest Legal News and Analysis

January 26, 2023

Subscribe to Latest Legal News and Analysis

UK ICO Publishes New Guidance and a Tool for Transfer Risk Assessments

On November 17, 2022, the UK data protection regulator, the Information Commissioner’s Office (“ICO”), published updated guidance on international transfers that includes a new section on transfer risk assessments (“TRAs”) and a TRA tool.

In its statement regarding the updated guidance, the ICO describes the TRA guidance as “an alternative approach to the one put forward by the European Data Protection Board” and says its aim is “to find an alternative, achievable approach delivering the right protection for the people the data is about, whilst ensuring that the assessment is reasonable and proportionate.”

TRA Guidance

The TRA guidance states that if an organization is relying on an Article 46 transfer mechanism, it must carry out a TRA. The ICO notes that the TRA will help the organization to consider whether, in the circumstances of the transfer and with the chosen Article 46 transfer mechanism in place, the “relevant protections for people under the UK data protection regime will be undermined.” In referring to Schrems II, the guidance states clearly that the Court’s decision that a TRA must be conducted before relying on an Article 46 mechanism forms part of UK data protection laws.

The ICO considers there to be two approaches to conducting a TRA:

  • Option 1: The ICO’s approach in the TRA tool discussed further below; and

  • Option 2: The European Data Protection Board’s approach (i.e., an assessment where the laws and practices of the exporting country are compared to the laws and practices of the importing country in order to assess the risks). This involves looking at the safeguards in place about third-party access to the information, in particular by governments.

The ICO states that it “is happy for organisations exporting data from the UK to carry out an assessment that meets Option 1 or Option 2.”

TRA Tool

The TRA tool is a template document with six questions and guidance on how to complete the TRA. It gives an initial risk level for categories of data and, according to the ICO, has moved the focus to “whether the transfer significantly increases the risk of either a privacy or other human rights breach” as it believes “this captures the key risk to the people the data is about, and is also achievable.”

What Is Next for the ICO?

The ICO has confirmed that it is currently working on guidance showing organizations how to use the International Data Transfer Agreement and the Addendum to the EU Standard Contractual Clauses, which will include clause-by-clause guidance. It is also “considering” extending the TRA guidance to include worked examples of the TRA tool in practice. The ICO also welcomes experiences of using the guidance and the TRA tool and intends to hold sessions in 2023 with the aim of learning from organizations and ultimately improving its products.

Copyright © 2023, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 322

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct