A ‘Transfer Risk Assessment’ is an assessment which must be carried out under data protection laws, allowing organisations subject to the UK GDPR to make ‘restricted transfers’ of personal data from the UK to certain countries outside of the UK lawfully.
If your organisation is making international data transfers, you may be legally required to carry out a Transfer Risk Assessment (TRA) under the UK GDPR. This complex assessment is essential to ensure that individuals’ data remains protected when transferred to countries outside the UK. Whether you’re using the ICO’s International Data Transfer Agreement, EU Standard Contractual Clauses with a UK addendum, or Binding Corporate Rules, the requirement to assess risk is a crucial compliance step that can’t be overlooked. Our experienced data protection solicitors can guide you through the assessment process, help you evaluate the privacy and legal risks involved in overseas transfers, and ensure your documentation stands up to scrutiny.
Contents:
When is a TRA needed?
A Transfer Risk Assessment must be completed where an organisation makes a transfer of personal data outside of the UK using the ICO’s International Data Transfer Agreement; the European Commission Standard Contractual Clauses with a UK Addendum; or Binding Corporate Rules, in line with the ICO’s guidance on international data transfers.
Please note that the assessment isn’t needed where the transfer of personal data will be to a country covered by the UK's Adequacy Regulators or one of the exceptions under the UK GDPR – contact our team if you’d like further information about these limited exceptions.
The reason for carrying out a Transfer Risk Assessment (in addition to the above ‘appropriate safeguards’) is to make sure that the personal data of individuals will be fully protected when it is sent to countries outside of the UK. Ultimately, organisations must be able to justify that the data protection rights of individuals will not be undermined when their data is transferred outside of the UK.
The ICO allows 2 approaches for carrying out this assessment:
Option 1: The ICO’s approach, which compares the risk to individuals if their personal data stays in the UK, versus if it is transferred outside of the UK. This approach examines the risks of transferring personal data from a privacy and human rights perspective, requiring organisations to consider whether transferring personal data outside the UK will result in significant risks to the privacy and human rights of the individuals whose data is transferred. If there is no significant risk, the transfer of personal data may go ahead.
Option 2: There is a second option (which follows the approach by the European Data Protection Board under EU law) that assesses the laws and practices of the destination country to which personal data will be transferred, compared with the laws and practices of the UK. This approach requires organisations to assess the personal data safeguards in place in destination countries outside the UK, particularly to protect personal data from third-party access (e.g., government).
Organisations may choose to carry out their Transfer Risk Assessment by following either of these approaches.
For further background on the assessment process, see our article on Transfer Impact Assessments (TIAs). You should ensure that your assessments are carefully documented.
What are the difficulties in conducting a Transfer Risk Assessment?
In practice, conducting a Transfer Risk Assessment can be pretty challenging.
You will need to determine which approach to take for the assessment, i.e. the ICO’s approach or the European approach (particularly where they also have EU operations), review their transfers from a foreign law and/or human rights perspective and continue to review and update their assessments from time to time.
This can be a very onerous exercise requiring sizable investigations and resources, particularly for high-risk transfers. In particular, it can be highly challenging to collaborate with overseas suppliers on these complex assessments, especially if a UK-based business works with numerous suppliers located outside the EU.
Where you need to investigate local laws in third countries as part of their assessment, there are a range of issues to consider including surveillance laws, access to data by public authorities, the rights and remedies available to data subjects and the human rights record for the relevant countries – this often requires local law advice, as you are unlikely to have an understanding of these overseas issues. This can also be very time-consuming and slow down projects.
The ICO has provided a helpful Transfer Risk Assessment tool to help organisations carry out the assessment; however, the tool itself is very lengthy and includes a series of complicated questions – this can be very resource-intensive. Furthermore, the tool may not be practical for organisations conducting more complex data transfers, which will need to adapt it further to incorporate their specific data flows.
If you have a complicated supply chain involving various parties transferring personal data, it may be difficult to understand how to conduct the assessments correctly. This is particularly challenging when considering who ‘initiates’ the transfer and is ultimately responsible for running it.
For the reasons outlined above, you should seek specialist legal advice if you are unsure about how to conduct a Transfer Risk Assessment.
Who is ultimately responsible for carrying out a Transfer Risk Assessment?
The organisation initiating the personal data transfer will be responsible for carrying out the assessment.
If your organisation is a data controller and you engage a data processor who conducts a transfer of personal data outside of the UK (for example, if a UK-based processor sends personal data to a sub-processor in the US), it will be the processor who is responsible for carrying out the assessment. However, in this scenario, you, as the controller, will still be responsible for carrying out careful due diligence regarding the proposed international data transfer (which can itself be very complex).
This again presents difficulties, as processors may be concerned about the compliance burden involved in transferring personal data outside the UK.
What does it mean if no Transfer Risk Assessment is carried out when it should be?
Transfer Risk Assessments are mandatory, and where they are required but not carried out, international transfers of personal data outside the UK should not proceed.
If you transfer data outside the UK without conducting this assessment when necessary, it is a breach of the UK GDPR, and serious enforcement action could follow. It remains to be seen how the ICO will enforce violations of the law in this complex and fast-moving area – compliance is therefore all the more important.
Need help with your transfer risk assessment?
Transfer Risk Assessments are a legal requirement for many cross-border data transfers, and getting them wrong can lead to serious enforcement action under the UK GDPR. With high-stakes consequences, complex international laws, and evolving regulatory expectations, it’s vital to have the proper support in place. Our data protection solicitors can help you conduct compliant assessments, manage risks associated with global transfers, and implement appropriate safeguards that align with your commercial needs. Get in touch for practical, expert advice tailored to your business.
