A practical approach: the ICO's guidance on transfer risk assessments

The ICO allows organisations to act according to their risk appetite, but those who are also EU-regulated will not benefit fully.

The recently published ICO guidance on international data transfers has provided organisations with increased clarity on how best to protect people’s data whilst adopting a reasonable and proportionate approach.

On 17 November 2022, the ICO expanded its guidance on international transfers to include a section on transfer risk assessments (TRAs) and a new TRA tool. The ICO’s approach strikes a balance between “protecting people’s personal information” and “empowering innovation and growth”, and is in this respect a welcome development to the approach previously taken by the European Data Protection Board (EDPB).

This article provides an overview of the TRA Tool; sets out the key points arising from the ICO’s approach, particularly in the context of some notable departures from the EDPB’s position; and considers whether any further guidance may still be required.

Background to the guidance 

The ICO’s guidance has been eagerly awaited by organisations that have often been left with more questions than answers following a number of changes to the international data transfer landscape during recent years. The introduction of the EU General Data Protection Regulation (EU GDPR) in May 2018 was closely followed by the UK’s departure from the EU, causing uncertainty for EU data controllers looking to transfer data to the UK (and vice versa). Two adequacy decisions were adopted by the European Commission (EC) in June 2021 to permit transfers of personal data from the European Economic Area (EEA) to the UK, though this agreement is being kept under review by the EC.

On 16 July 2020, the Schrems II case brought further disruption to international data transfers, as the Court of Justice of the European Union (CJEU) declared the EU-US Privacy Shield invalid and shone a light on issues with the EC’s Standard Contractual Clauses (SCCs). This prompted the EC to draft new SCCs, introduced on 27 June 2021, and an 18- month grace period was given to organisations to amend existing contracts to incorporate the new SCCs. This grace period ended recently on 27 December 2022. Any contracts which still contain the old SCCs will be open to challenge on the basis that they are no longer compliant with the EU GDPR.

On 18 June 2021, the EDPB adopted its final recommendations on supplementary measures for data transfers, which included a six-step roadmap to guide organisations. Following public consultation in 2021 on the draft international data transfer agreement (IDTA), TRA Tool and international transfer guidance, and the publication of the IDTA in February 2022, the ICO has now published its own guidance on TRAs as of November 2022.

An overview of the ICO's TRA tool 

Organisations relying on a transfer mechanism under Article 46 of the UK General Data Protection Regulation (UK GDPR) to make a restricted transfer[1] must carry out a TRA to ensure that the transfer mechanism provides appropriate safeguards and enforceable rights for data subjects.

The ICO’s guidance sets out two approaches to conducting a TRA, both of which are acceptable to the ICO:

• Option 1 assesses risk from a privacy and human rights perspective, and asks whether, as a result of the transfer, there is any increase in risk to people’s privacy and other human rights compared with the risk if the data remained in the UK. This is the approach used by the ICO in the TRA Tool (although the Tool is not mandatory to use).

• Option 2 is the EDPB’s approach and involves an assessment of the laws and practices of the UK compared to those of the importing country, including any safeguards in place preventing government access to data.

The TRA Tool is 41 pages long and is comprised of six questions:

• Question 1 requires organisations to provide information about which data categories are being transferred, the purpose for the transfer and information about the importer and importing country along with any relevant organisational and technical measures.

• Question 2 asks organisations to assign a low, moderate or high-risk level to the data transfer based on the information provided in Question 1 and using the helpful information in the Appendix which details the risk level to be assigned to each data category. Organisations should consider any aggravating and mitigating factors which may increase or reduce the risk level assigned.

• Question 3 assesses what a reasonable and proportionate level of investigation might look like, taking into account the risk level assigned at Question 2, the size of the organisation, resources available to it, and the volume of data to be transferred. The data protection fee tiers may be used as a guide to help organisations assess whether they are considered a small and medium-sized enterprise (SME) for the purposes of Question 3. There are three levels of possible investigation, the most thorough of which is a Level 3 investigation.

• Question 4 requires organisations to assess the findings of the investigation conducted and decide whether a transfer significantly increases the risk of a data subject experiencing a human rights breach in the importing country.

• Question 5 asks the organisation to consider whether the organisation and data subject would be able to enforce the Article 46 data transfer mechanism (e.g. SCCs) against the data importer, either in the UK or in the destination country. At the end of Question 5, the Tool may approve the transfer. If the transfer is not approved, organisations must move on to consider Question 6.

• Question 6 asks whether any exceptions apply to the “significant risk data” identified. For example, the organisation may have the explicit consent of the data subject, or the transfer may be required for the performance of a contract between the organisation and data subject. At the end of either Question 5 or Question 6, the Tool will advise whether the organisation may proceed with the transfer in light of the details provided and any applicable exceptions. If a transfer is not approved by the Tool, organisations are advised not to make the transfer but may seek professional data protection advice to review the assessment.

Key points arising from the ICO's guidance

The ICO’s practical approach:

The TRA Tool allows organisations to take a risk-based approach to international data transfers, marking a welcome departure from the EDPB’s approach. The ICO’s guidance is both practical and proportionate, allowing for some deference to the risk appetite of individual organisations, and to the scale (and available specialist privacy and legal support) of those organisations.

This practical approach is weaved throughout into the TRA Tool. At Question 4, the ICO asks organisations to consider whether it is likely that any of the data subjects are, or will be, citizens of the importing country or are likely to travel there as this affects the likelihood of a human rights breach.

Question 6 allows organisations to assess significant risk data separately to low-risk data, making it possible for organisations to proceed with the transfer only in relation to the low-risk data. Additionally, the ICO permits organisations to choose appropriate mitigation measures in circumstances where data is transferred to a cloud provider without being encrypted or pseudonymized. By contrast, the EDPB’s guidance suggests that no such mitigation measures could facilitate a transfer in these circumstances.

Whilst many organisations will look to reap the benefits of the ICO’s practical approach, an issue will arise for organisations that have branches in the EU or EU processing operations.

For such organisations, the ICO’s TRA Tool may prove to be of limited significance. Although it can be relied on in relation to UK data, it cannot be used to assess transfers of EU data. Moreover, if organisations intend to adopt a ‘one company’ approach to data transfers, they will likely need to rely on the EDPB’s guidance rather than the ICO’s (much more pragmatic and user friendly) TRA Tool. This limitation will be faced by an increasing number of organisations who are offering goods and services in the EU in addition to the UK and are therefore dual regulated.

Identifying a ‘restricted transfer’:

The ICO’s deviation from the EDPB’s approach is also evident from its explanation of what constitutes a restricted transfer. Notably, the ICO has stated that reverse transfers from processors - involving a processor returning personal data from the UK to a controller outside the UK - will not be considered as restricted transfers. Likewise, a transfer of personal data between a UK company and its overseas branch is not a restricted transfer provided that the branches are part of the same legal entity. This clarity is particularly helpful given that the making of a restricted transfer triggers the compliance requirements under the UK GDPR in relation to international data transfers.

Who is responsible for completing the TRA Tool?

Under the ICO’s guidance, the party initiating the transfer is responsible for ensuring the data transfer is compliant with the UK GDPR. For example, a processor who appoints a sub-processor will be seen to have initiated the transfer of personal data to the sub-processor and will be responsible for completing the TRA Tool. This provides processors with a degree of flexibility, albeit that such flexibility is limited by the right of controllers to object to sub-processors under Article 28.

Controllers may be relieved that the burden of compliance will formally shift to processors in certain circumstances, but they must remain mindful of their responsibility to discharge their Article 28 obligations and conduct reasonable and proportionate due diligence in relation to the transfer. It remains to be seen how this will be incorporated into contractual obligations and whether additional drafting will be required to ensure controllers are comfortable with the compliance obligations sitting with processors.

Is further guidance required? 

The ICO’s guidance has delivered welcome clarification to organisations against the backdrop of evolving international data transfer rules. The deviation from the EDPB’s position has also provided organisations with the ability to risk-assess transfers in a more practical and proportionate manner.

However, the guidance has not provided a perfect antidote to all international data transfer queries and importantly the TRA process still requires an organisation to dedicate time and resources to assess the risks associated with international data transfers. The TRA Tool is designed for relatively simple data transfer arrangements and organisations looking to engage in transactions involving complex data flows (particularly those with parties based in the EU which are also transferring personal data to a third country) may need to revert to the EDPB’s guidance. Helpfully, however, the ICO is also considering whether to release examples of how the TRA Tool works in practice, which may include details of more complicated arrangements. The ICO has also confirmed that it is working on guidance relating to the International Data Transfer Agreement (IDTA) and the UK Addendum to the EU SCCs, which will further assist organisations.

Further guidance may also be required as a result of the increased deference offered to organisations within the ICO’s approach. The ICO has purposefully allowed organisations to consider their own risk appetites and available resources as part of the TRA process. However for some organisations this subjectivity may result in a sense of increased ambiguity. Any such issues should be captured in the feedback sessions planned with the ICO in early 2023 during which organisations will be able to share their experience of the TRA Tool, including whether the ICO’s practical approach has resulted in a practical improvement of the TRA process.

Whilst it is still early days for organisations that are getting to grips with the new TRA Tool and the ICO’s approach to regulating this complex area, our initial conclusions are that the ICO’s guidance is: (a) very welcome; (b) bold in its attempt to be user-friendly, practical and risk-based; and (c) as a result, likely to be of significant value to businesses (especially SMEs) and data subjects.

Contributor: Tillie Clark

This article was first published Privacy Laws & Business UK Report, January 2023,www.privacylaws.com