The Information Commissioner's Office (ICO) has issued new guidance on transfer risk assessments for organisations seeking to make restricted transfers of personal data to the United States under Article 46 of the UK GDPR.
The new guidance encourages organisations to incorporate published analysis from the Department for Science, Innovation, and Technology (DSIT) into their transfer risk assessments to streamline the process.
A reminder - requirements for restricted transfer
Under the UK GDPR, organisations are prohibited from transferring personal data outside of the UK unless there is an approved Article 46 transfer mechanism in place (such as the ICO's International Data Transfer Agreement or the Addendum to the EU Standard Contractual Clauses), or the recipient country is subject to an adequacy decision.
Following the Schrems II case in 2020, before UK organisations can transfer personal data under Article 46, they must undertake a transfer risk assessment (TRA).
What is a TRA?
A TRA is a risk assessment that must be completed by an organisation before an overseas data transfer takes place pursuant to Article 46. The purpose of a TRA is to ensure that the relevant Article 46 mechanism sufficiently protects against:
- Risks to the rights of individuals that arise in the destination country from third parties accessing the information that are not bound by the Article 46 transfer mechanism, in particular from government and public bodies, and
- Risks to individual’s rights arising from difficulties enforcing the Article 46 transfer mechanism.
What does the new guidance say about UK-US TRAs?
The new guidance provides additional information on how risk assessments for UK-US transfers can be completed to achieve compliance. A TRA is a complicated document that can be difficult and costly to complete, as it requires an in-depth assessment of international data protection laws.
In an effort to minimise this compliance burden, the new ICO guidance encourages organisations to rely on DSIT’s published analysis to streamline their TRA process for UK-US transfers. DSIT conducted a comprehensive analysis on the US data bridge, considering the rule of law, fundamental rights, an independent supervisory authority, and international commitments, as well as the application of US laws and practices more generally.
The analysis covers issues that should be included in UK-US TRAs, and as such organisations can incorporate the DSIT analysis into their TRAs by reference, rather than by repetition, particularly regarding risks arising from third parties accessing information and challenges in enforcing transfer mechanisms.
The ICO provides examples illustrating how organisations can use the DSIT analysis within the context of their TRAs when using transfer mechanisms like the International Data Transfer Agreement or the UK Addendum to the SCCs.
Practical implications
The new guidance may assist with lowering the compliance burden for organisations making personal data transfers from the UK to the US. However, the ICO advises organisations that they must keep under review any published updates to the DSIT analysis.
If there is a change to the DSIT conclusions referred to in the TRA, then an organisation must review and update its TRA to reflect those changes.
Beverley Flynn
Guy Cartwright
Sinead Hughes