ICO publishes updates to its guidance on Transfer Risk Assessments
The question
How will recent updates to the Information Commissioner’s Office’s (ICO) guidance on Transfer Risk Assessments (TRAs) affect how UK organisations conduct their TRAs?
The key takeaway
The ICO’s updated guidance on TRAs (available here) provides that, when considering a “restricted transfer” of personal data to the US, UK organisations may now rely on the analysis produced by the Department for Science, Innovation & Technology (DSIT) instead of having to conduct their own analysis of the risks posed to UK data subjects’ personal data by the US’ data protection regime.
The background
A “restricted transfer” of personal data takes place where: (i) the UK GDPR applies to the processing of the personal data being transferred; (ii) the personal data is being sent, or is made accessible, to a receiver who is located in a country outside the UK; and (iii) the receiver is a separate controller or processor and is legally distinct from the entity making the transfer.
Where there is a restricted transfer of personal data from the UK to a country which is not the subject of an “adequacy decision” by the UK Government, or to which a derogation under Article 49 UK GDPR does not apply, an appropriate safeguard under Article 46 UK GDPR must be put in place before such a transfer may be made (eg the ICO’s International Data Transfer Agreement, the UK Addendum to the EU SCCs etc).
Additionally, before implementing an appropriate transfer mechanism under Article 46 UK GDPR, organisations are required to conduct a TRA, on a case-by-case basis, to assess the risks which may be posed to data subjects by the proposed transfer of their personal data to the country in question. As such, TRAs often involve a lengthy and complex risk analysis process in which organisations must assess the data protection regime to which the importing organisation is subject.
The development
In accordance with the ICO’s desire to empower organisations to innovate (see here), in December 2023, the ICO published updates to its guidance to assist organisations with conducting TRAs for the purposes of making restricted transfers of personal data from the UK to the US.
While the ICO’s updated guidance details: (i) when a TRA needs to be conducted, (ii) the various approaches which organisations may take in conducting their TRAs, and (iii) the tools which are available to organisations to assist them with conducting their TRAs, arguably the most helpful point for organisations is the confirmation that, when considering making a restricted transfer of personal data to the US, UK organisations may rely on the analysis produced by the DSIT (for the UK Extension to the EU-US Data Privacy Framework (DPF)) which confirms that the US provides an adequate level of protection for personal data (see the DSIT’s analysis here).
This means that organisations can now rely on the DSIT’s analysis instead of performing their own assessment of the risks which are posed to UK data subjects’ personal data by the data protection regime in the US.
For more information on the DPF and the UK Extension to the DPF, see our Autumn 2023 Snapshots.
Why is this important?
The ICO’s updates to its guidance on TRAs will streamline the lengthy TRA risk analysis process which previously needed to be conducted by all UK organisations when considering making a restricted transfer of personal data to the US. Additionally, it will reduce the ancillary costs which organisations previously incurred in order to assess whether the US’ data protection regime provided sufficient protection for the personal data of UK data subjects, and will provide UK organisations with the certainty that the risks which are posed by a restricted transfer of personal data to the US have been adequately analysed.
Any practical tips?
Notwithstanding the updates to the ICO’s guidance on TRAs, UK organisations should be aware that, where they rely on the DSIT’s analysis when conducting their TRAs for the purposes of performing a restricted transfer of personal data to the US, they must ensure that their TRAs are reviewed and updated in accordance with any updates to the content of the DSIT’s analysis which may be published in future.
UK organisations should also be aware that, where a US organisation is certified as a participant in the DPF and the UK Extension to the DPF (which can be searched here), then they will be able to transfer personal data to the participating organisations without the need to put in place appropriate safeguards as provided for under Article 46 UK GDPR, or to conduct TRAs.
Spring 2024
Stay connected and subscribe to our latest insights and views
Subscribe Here