On November 17, 2022, the Information Commissioner's Office (ICO) published its long awaited updated guidance on international data transfers, including additional guidance on completing transfer risk assessments (TRAs) as well as publishing a new TRA Tool.
The ICO's announcement of the new guidance notes the increasingly global nature of businesses and explains that the aim of the guidance is to provide certainty, for all involved, that the right level of protection is in place for international data transfers.
The ICO's guidance offers an alternative to the European Data Protection Board's (EDPB) approach, and the ICO has explained that organisations exporting data from the UK can carry out an assessment that meets either the approach outlined in the ICO's new TRA Tool, or the existing EDPB's approach.
The guidance outlined by the ICO focuses on the risks to the rights of data subjects, and explains that:
"The key question is whether, as a result of the transfer, there is any increase in the risk to people’s privacy and other human rights, compared with the risk if the information remains in the UK."
This is a deviation from the EDPB's existing guidance, which places more of an emphasis on the data protection regime in place in the recipient country, and whether it affords an adequate level of protection.
The updated guidance follows the ICO's publication earlier this year of the International Data Transfer Agreement (IDTA) and the Addendum to the European Union Standard Contractual Clauses (SCCs). The ICO has also confirmed that they are producing guidance on use of the International Data Transfer Agreement and the Addendum to the SCCs, both of which will include clause-by-clause guidance.
NEW TRA TOOL
The ICO's TRA Tool provides UK organisations with a template to use when carrying out a TRA – and offers UK businesses a more practical alternative to the EDPB's guidance. However, the template is designed for a straightforward transfer where information is going to one importer in one destination country. It is therefore left to businesses to adapt the tool to more complex arrangements or follow the EDPB guidance..
The TRA Tool contains six questions and uses tables with check-boxes to record responses. Helpfully, it also contains an appendix that gives suggested risk levels for many different categories of personal information. The risk scores are Low (name, address, age etc.), Moderate (CCTV, marital history etc.) and High (gender, biometric data, medical records etc.). These suggested risk levels can inform responses to a number of the questions posed throughout the TRA, particularly the risk assessment at question 2.
Each of the questions offers context and guidance on how to respond, with example answers given for some of the more complex questions. The Tool also provides examples of practical steps organisations can take based on the level of protection needed e.g. encrypting personal information prior to transfer when significant protection is required. While these are only suggestions, they may go some way to informing the technical and organisational measures needed to ensure compliance and are likely to be welcomed by organisations seeking further clarity.
ADDLESHAW GODDARD: DATA PROTECTION, PRIVACY & CYBERSECURITY
Our global data protection and information law team is one of the largest teams in the UK and in Europe. Our experienced and hands on team have in-depth expertise across all areas of data,information & cybersecurity law and always remain on the pulse with the ever-changing world of data protection and privacy.
Addleshaw Goddard's International Data Transfers Express tool provides a streamlined process for implementing TRAs and the SCCs/IDTA, and has been updated to incorporate the latest ICO guidance. For further information on the Data Transfers Express Tool, to arrange a demonstration of the tool or for support on international data transfers more broadly please contact firstname.lastname@example.org
Dr. Nathalie Moreno
Partner, Commercial and Data Protection