ICO TRA Update
Key Contact: Declan Goodwin
Author: Courtney Wilbor
The Information Commissioner’s Office (“ICO”) recently published updated guidance on international data transfers. This included the introduction of the ICO’s new transfer risk assessment (“TRA”) Tool.
When do businesses need to use a TRA?
TRAs are essential for any business that is subject to the UK General Data Protection Regulations (“UK GDPR”) seeking to transfer personal data outside of the United Kingdom to a country not covered by UK adequacy regulations (known as a “restricted transfer”).
Any business making a restricted transfer will need to ensure that this is compliant with UK GDPR by using one of the transfer mechanisms to make sure the personal data concerned is protected to the same standards in the location it is sent to. These transfer mechanisms provide appropriate safeguards for businesses undertaking restricted transfers, whilst also conferring data subjects effective and enforceable rights. Under these safeguards, businesses are subject to a legal obligation to conduct a TRA and submit this to the ICO if necessary.
Under the new guidance, if your business is a data controller and the data processor is making the restricted transfer, only the processor must undertake a TRA. However, as a controller you remain obliged to ensure that the processor’s restricted transfers remain compliant with UK GDPR, including completing a TRA. On this basis, it is recommended that any data controllers either check the processor’s TRA, or complete a TRA themselves to confirm compliance. Alternatively, if a data recipient sends personal data to third parties, the responsibility to conduct a TRA can lie with either the UK data exporter or the data recipient making the onward transfer.
What is the ICO’s new TRA Tool?
The ICO’s Tool enables businesses to consider whether, as a result of the transfer, there is any increase in the risk to people’s privacy and other human rights, compared with the risk if the information remains in the UK. Where no serious risk is identified, the transfer is permitted.
The Tool contains six questions for businesses to answer:
- What are the specific circumstances of the restricted transfer?
- What is the level of risk to people in the personal information you are transferring?
- What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organisation?
- Is the transfer significantly increasing the risk for people of a human rights breach in the destination country?
- (a) Are you satisfied that both you and the people the information is about will be able to enforce the Article 46 transfer mechanism against the importer in the UK?
(b) If enforcement action outside the UK may be needed: Are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country (or elsewhere)?
- Do any of the exceptions to the restricted transfer rules apply to the significant risk data?
The Tool also provides an Appendix which contains useful information such as initial risk scores for different categories of personal data and examples of extra steps and protections that businesses can utilise to reduce the risk score attached to the personal data. This is beneficial for any business as it provides practical examples of the technical and organisational actions required for GDPR compliance.
How does the ICO’s guidance differ from previous guidance?
Prior to the release of this guidance, following the Schrems II judgment, the European Data Protection Board (“EDPB”) provided recommendations for businesses transferring personal data outside of the UK. Whilst businesses can select which guidance they follow, it is worth noting the main differences between the two.
EU GDPR– One consideration to make when deciding which guidance to follow is whether the personal data being transferred is subject to both UK and EU GDPR. As it has not yet been seen from an EU law perspective whether the EDPB determines that the ICO’s approach is adequate, it may be preferrable for businesses subject to both pieces of GDPR to adhere to the EDPB guidance.
Risk-based approach – A significant difference that any business should note is that the new ICO guidance provides a risk-based approach to international data transfers. For example, under Question 2, a transfer of personal data is considered to be a low harm risk if it is “unlikely to cause more than inconsequential financial harm, physical harm, mental harm or distress if it is misused or lost, with only minimal actions (if any) required to rectify the situation.”
Where all categories of personal data being transferred are considered to be a low harm risk, the ICO guidance permits the restricted transfer without businesses answering the remaining questions. This differs from the EDPB approach which necessitates a local law assessment regardless of the risk.
What is next?
The ICO has confirmed that it is currently producing guidance on how businesses can use the International Data Transfer Agreement and the Addendum to the EU Standard Contractual Clauses. Further guidance on TRAs from the ICO may also include worked examples of the TRA Tool in practice, providing businesses with increased clarity on how they can appropriately safeguard international data transfers.
For further information and assistance on any GDPR or international data transfer queries you may have, please get in touch with our Commercial and Technology Team.
