What’s this about?
The UK’s data protection regulator the Information Commissioner’s Office (ICO) recently issued a transfer risk assessment tool along with guidance on international data transfers risk assessment. This article provides a look at the guidance and the tool.
What’s an international data transfer?
EU GDPR regulates international data transfers, which can only be made in certain ways and subject to various conditions. EU Standard Contractual Clauses (“SCCs”) have been a widely used data transfer instrument for data transfers from the EU. In 2021 new SCCs came into force – organisations using pre-2021 SCCs must ensure that they transition to the new SCCs by 27 December 2022.
Following Brexit, UK GDPR replaced EU GDPR for the UK – UK GDPR (along with the UK Data Protection Act 2018) regulates international data transfers (officially called “restricted transfers” in the UK). One way to comply with UK GDPR rules on international data transfers is to put in place an appropriate transfer mechanism, which include the ICO’s International Data Transfer Agreement (“IDTA” – this is in effect the UK equivalent to the SCCs), the Addendum to the EU SCCs (“the Addendum”), and “Binding Corporate Rules” (“BCRs”).
If an organisation is relying on an appropriate transfer mechanism it must carry out a transfer risk assessment. The risk assessment is designed to help an organisation consider whether, in the circumstances of the transfer and the chosen transfer mechanism, the relevant protections for individuals under the UK data protection regime will be undermined or not. If there are concerns then measures must be put in place to address these.
What are the risks to be considered?
According to the guidance, there are two broad types of risk an organisation must consider in a transfer risk assessment:
- Risks to individuals’ rights arising in the destination country from third parties accessing the information that are not bound by the transfer mechanism in question, in particular government and public bodies; and,
- Risks to individuals’ rights arising from difficulties enforcing the transfer mechanism in question.
According to the guidance, there are two approaches to conducting a transfer risk assessment, in particular for the first set of risks:
- Option 1 – This is the ICO’s approach in its Transfer Risk Assessment tool. Here, the assessment compares the position of the individuals that the data is about, in the specific circumstances of the transfer: (a) if the information remains in the UK; and, (b) if the proposed transfer goes ahead. This assessment looks at the risks to individuals’ rights. According to the ICO, the key question is whether, as a result of the transfer, there is any increase in the risk to individuals’ privacy and other human rights, compared with the risk if the information remains in the UK, i.e. once individuals’ information is in the receiving party’s hands, are individuals in a sufficiently similar position about any risks to their data privacy and human rights? If there is no significant additional risk, then, according to the ICO, the transfer may go ahead. Because the receiving party is contractually bound to comply with the data protection rights in the transfer mechanism in question, the main focus of this assessment is on the protection of human rights more generally in the destination country. The ICO’s Transfer Risk Assessment Tool sets out one way to carry out a transfer risk assessment, with questions, guidance and a template to complete;
- Option 2 – This is the approach taken by European Data Protection Board. Here, the assessment compares the laws and practices of the UK (including UK GDPR) to the laws and practices of the importing country in order to assess the risks outlined above. This involves looking at the safeguards in place about third party access to the information, in particular by governments. Those safeguards do not need to be identical to those in the UK, but must be sufficiently similar.
According to the guidance, importantly, the ICO is happy for organisations exporting data from the UK to carry out an assessment that meets either Option 1 or Option 2.
When should a transfer risk assessment be carried out?
A transfer risk assessment needs to be carried out if an organisation is making an international data transfer and the organisation wishes to rely on one of the appropriate transfer mechanisms, such as the IDTA, Addendum or BCRs.
An organisation does not of course need to carry out a transfer risk assessment if it is making a transfer to any country covered by a UK “adequacy” decision or if the transfer is covered by an exception under UK GDPR (note however that it is very difficult to try and rely on one of the exceptions).
According to the guidance, if an organisation is a data controller, and its data processor is making the international data transfer, only the processor must complete the transfer risk assessment. In that situation, a data controller organisation must still carry out reasonable and proportionate checks about whether the processor’s international data transfers are compliant with UK GDPR, including its obligation to carry out a transfer risk assessment.
If the receiving party is sending the data to third parties it must look at how this complies with the IDTA, Addendum, BCR or other appropriate transfer mechanism it is using. Either a transfer risk assessment must be carried out for so-called “onward transfers”, or the receiving party must carry out the transfer risk assessment and provide the sending party with sufficient reassurance that it has done so in compliance with the requirements of the IDTA.
If an organisation is making a series of connected, repeated or similar international data transfers it can, either, carry out a transfer risk assessment for each international data transfer, or, one transfer risk assessment that covers all of them. If the chosen appropriate transfer mechanism covers repeated international data transfers or an ongoing flow of transfers to the receiving party, the sending party must regularly reassess the level of protection the appropriate transfer mechanism provides (and any extra steps and extra protections that have been taken alongside it).
It must be ensured that the level of protection does not decrease over time and so regular consideration must be given as to whether the level of protection may be undermined by:
- Changes to the processing by the receiving party;
- Changes to the legal framework in the destination country; or,
- Technical developments making it easier to by-pass security arrangements.
What is the scope of a transfer risk assessment?
According to the guidance, whatever type of risk assessment an organisation carries out, its scope must be reasonable and proportionate. This should take into consideration the risk to individuals inherent in the personal data being transferred, the amount of data being transferred, and the size of the data controller or data processor making the international data transfer and accordingly the resources available to it. The ICO’s Transfer Risk Assessment Tool includes further guidance about how to approach this.
What is the ICO’s Transfer Risk Assessment Tool?
The ICO’s Transfer Risk Assessment tool is a template document with questions and guidance that sets out one way that a transfer risk assessment can be carried out.
As the guidance says, an organisation does not need to use the Transfer Risk Assessment Tool, but it may still use the questions to guide it through its own transfer risk assessment. The questions are as follows:
- What are the specific circumstances of the restricted transfer?
- What is the level of risk to people in the personal information being transferred?
- What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of the organisation?
- Is the transfer significantly increasing the risk for individuals of a human rights breach in the destination country?
- (a) Are you satisfied that both you and the individuals the information is about will be able to enforce the appropriate transfer mechanism against the importer in the UK? (b) If enforcement action outside the UK may be needed, are you satisfied that you and the individuals the information is about will be able to enforce the appropriate transfer mechanism in the destination country (or elsewhere)?
- Do any of the exceptions to the international data transfer rules apply to the “significant risk data”?
The “significant risk data” is the data an organisation identifies in questions 4 and 5 above as data which the chosen appropriate transfer mechanism does not provide all the appropriate safeguards for.
If by using the Transfer Risk Assessment Tool an organisation decides that its chosen appropriate transfer mechanism will not provide appropriate safeguards and effective and enforceable data subject rights for all the personal data, then, according to the ICO, the organisation must not make the international data transfer. As the guidance also says, an organisation may put in place extra steps and extra protections and work through the Transfer Risk Assessment tool again.
Whilst guidance is only guidance (i.e. only a court has the final say on the interpretation of UK GDPR as regards UK international data transfers), the guidance is well worth bearing in mind.
The Transfer Risk Assessment Tool itself is a thorough and detailed document and may take some time to complete.
We write about privacy/data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary
The ICO’s international data transfers risk assessment guidance and tool can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/transfer-risk-assessments/.
The ICO’s guidance on international transfers can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/ .
The “EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” can be found here: https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|