A ‘Transfer Risk Assessment’ is an assessment which must be carried out under data protection laws, allowing organisations subject to the UK GDPR to make ‘restricted transfers’ of personal data from the UK to certain countries outside of the UK lawfully.
When is a Transfer Risk Assessment needed?
A Transfer Risk Assessment must be completed where an organisation makes a transfer of personal data outside of the UK using:
- The ICO’s International Data Transfer Agreement;
- The European Commission Standard Contractual Clauses with a UK Addendum; or
- Binding Corporate Rules.
Please note that the assessment isn’t needed where the transfer of personal data will be to a country covered by the UK ‘Adequacy Regulators’ or one of the exceptions under the UK GDPR – contact our team if you’d like further information about these limited exceptions.
The reason for carrying out a Transfer Risk Assessment (in addition to the above ‘appropriate safeguards’) is to make sure that the personal data of individuals will be fully protected when it is sent to countries outside of the UK. Ultimately, organisations must be able to justify that the data protection rights of individuals will not be undermined when their data is transferred outside of the UK.
The ICO allows 2 approaches for carrying out this assessment:
Option 1: The ICO’s own approach which compares the risk to individuals if their personal data stays in the UK, versus if it is transferred outside of the UK. This approach looks at risks of transferring personal data from a privacy and human rights perspective and requires organisations to consider whether transferring personal data outside of the UK will result in significant risks to the privacy and human rights of the individuals whose data is transferred. If there is no significant risk, the transfer of personal data may go ahead.
Option 2: There is a second option (which follows the approach by the European Data Protection Board under EU law) which assesses the laws and practices of the destination country to which personal data will be transferred, compared with the laws and practices of the UK. This approach requires organisations to assess the personal data safeguards in place in the destination countries outside of the UK, in particular to protect personal data from third party (e.g. government) access.
Organisations may choose to carry out their Transfer Risk Assessment by following either of these approaches.
For further background on the assessment process, see our article on Transfer Impact Assessments (TIAs).
Organisations should ensure that their assessments are carefully documented.
What are the difficulties in conducting a Transfer Risk Assessment?
In practice, carrying out a Transfer Risk Assessment can be very difficult.
Organisations will need to determine which approach to take for the assessment i.e. the ICO’s approach or the European approach (particularly where they also have EU operations), review their transfers from a foreign law and/or human rights perspective and continue to review and update their assessments from time to time.
This can be a very onerous exercise requiring sizable investigations and resources, particularly for high-risk transfers. In particular, it can be extremely difficult to work with overseas suppliers on these complicated assessments – especially if a UK based business works with numerous suppliers who are located outside of the EU.
Where an organisation needs to investigate local laws in third countries as part of their assessment, there are a range of issues to consider including surveillance laws, access to data by public authorities, the rights and remedies available to data subjects and the human rights record for the relevant countries – this often requires local law advice, as organisations in the UK are unlikely to have an understanding of these overseas issues. This can also be very time consuming and slow down projects.
The ICO has provided a helpful Transfer Risk Assessment tool to help organisations carry out the assessment, however the tool itself is very lengthy and includes a series of complicated questions – this can be very resource intensive. Further, the tool may not be practical for organisations carrying out more complex data transfers, who will need to adapt it further to incorporate their data flows.
For organisations with complicated supply chains involving various parties transferring personal data, it may be difficult for businesses to understand how to correctly conduct the assessments (in particular, when considering who ‘initiates’ the transfer is ultimately responsible for running the assessment).
For the reasons set out above, it’s vital that businesses take specialist advice where they are unsure about how to carry out a Transfer Risk Assessment.
Who is ultimately responsible for carrying out a Transfer Risk Assessment?
The organisation initiating the personal data transfer will be responsible for carrying out the assessment.
If your organisation is a data controller and engages a data processor who conducts a transfer of personal data outside of the UK (for example, if a UK based processor sends personal data to a sub-processor in the US), it will be the processor who is responsible for carrying out the assessment. However (in this scenario) you as the controller will still be responsible for carrying out careful due diligence regarding the proposed international data transfer (which can itself be very complex).
This again presents difficulties, since processors may be concerned of the compliance burden involved when transferring personal data outside of the UK.
What does it mean if no Transfer Risk Assessment is carried out when it should be?
Transfer Risk Assessments are mandatory and where they are required but not carried out, international transfers of personal data outside of the UK should not go ahead.
If an organisation transfers personal data outside of the UK without conducting this assessment when necessary, this is a breach of the UK GDPR and serious enforcement action could follow – see our article on what happens if you get data protection wrong for information on the various potential implications of breaching UK GDPR. It remains to be seen as to how the ICO will enforce breaches of the law in this complex and fast-moving area – compliance is therefore all the more important.
Correctly carrying out a Transfer Risk Assessment is very complicated task. If you would like support with any aspect of the process and understanding your legal obligations, please contact our friendly and knowledgeable data protection law experts who are here to help businesses navigate these challenging yet vital assessments.