Knowledge Hub
for Growth


‘Transfer Impact Assessments’ and ‘Transfer Risk Assessments’ – What’s the difference?

There is often some confusion between the terms ‘Transfer Impact Assessment and ‘Transfer Risk Assessment in the data protection world.   

In reality, both are essentially the same requirement under data protection laws, depending on whether an organisation is subject to the UK or EU data protection law regime.  This is because since Brexit, the UK has its own data protection law regime known as the ‘UK GDPR’ which is separate to the ‘EU GDPR’ (although the two are very similar).   

In short, both terms describe an assessment which organisations must undertake to evaluate whether sending personal data to certain countries outside of the UK or EU can be carried out lawfully.     

This is a complex and fast-changing area of law, so always seek legal data protection advice if you're unsure of your obligations.  

Transfer Impact Assessments under the European Data Protection Law Regime  

A ‘Transfer Impact Assessment’ is an assessment used for transfers of personal data between EU and certain non-EU countries. This is part of a framework to ensure that when personal data is transferred outside of the EU, it’s still protected in the same way it is under the EU GDPR. Essentially, this applies to organisations subject to the EU GDPR where they are transferring personal data outside of the EU in certain circumstances.   

The EU law approach stems from the recommendations of the European Data Protection Board (EDPB) and requires (amongst other things) an assessment of the laws and practices of the country to which personal data will be sent, to assess the risks involved in transferring the personal data.   

This approach requires organisations to consider the safeguards in place and third-party access to personal data in third countries (particularly governments).   

See our article ‘Transfer Impact Assessments’, where we’ve explained the steps to follow when carrying out a Transfer Impact Assessment. As highlighted, these are practically very difficult assessments to undertake with several complex recommendations from the EDPB to consider, including considering the laws and practices of the countries to which personal data will be sent (which can be very tricky to assess without taking international law advice).  

Transfer Risk Assessments under the UK Data Protection Regime  

As set out in our article Transfer Impact Assessments, a Transfer Risk Assessment allows organisations subject to the UK GDPR to make ‘restricted transfers’ of personal data from the UK to certain countries outside of the UK lawfully.  

A Transfer Risk Assessment is essentially the UK equivalent of a Transfer Impact Assessment and must be completed where an organisation makes a transfer of personal data outside of the UK using the ICO’s International Data Transfer Agreement, European Commission Standard Contractual Clauses with a UK Addendum or Binding Corporate Rules.   

The ICO has published a helpful template Transfer Risk Assessment tool with detailed questions for businesses to answer, including guidance and examples of risk levels for different categories of personal data.  

The ICO has attempted to take a different approach to the European position, which balances both the rights of individuals and provides a proportionate approach for businesses conducting the assessment.   

For example, the ICO’s approach focusses on matters such as:  

  • Assessing if a specific transfer will increase the risk to people’s privacy and rights, compared to if their personal data stays in the UK.   
  • Considering the general risk to people’s human rights if their personal data is transferred to another country outside of the UK.   

The ICO’s approach is more focussed upon an assessment the risks of individual data transfers, rather than assessing if the laws of the recipient country provide comparable protection of personal data.   

The ICO allows organisations needing to conduct a Transfer Risk Assessment to choose between using its own Transfer Risk Assessment tool, or the EU’s Transfer Impact Assessment guidance and approach. However, it seems that the ICO’s Transfer Risk Assessment tool will be easier for businesses to use in practice.   

Summary  

Businesses should make sure they understand when the requirements to carry out a Transfer Impact Assessment and Transfer Risk Assessment apply and that they understand the criteria for the relevant assessments properly. The requirements for carrying out these assessments are complicated and require careful analysis.  

For UK based businesses and in particular small businesses, the ICO’s reasonable and proportionate approach and Transfer Risk Assessment template may provide a more practical tool for businesses to use. However, businesses operating in or providing services to the EU (or whose personal data transfers are more complex) may consider using the EU’s Transfer Impact Assessment approach and guidance.   

Businesses should closely follow guidance issued by the data protection regulators on this topic and make sure they carry out the relevant assessments correctly so that that their international transfers of personal data are made lawfully.   

This article provides high-level information on the key differences to note, however our team can help with providing detailed advice on the legal requirements and advise you on which assessments you need to carry out for your business transfers (particularly if your business operates in both the UK and EU).  

About our expert

Lillian Tsang MBA

Lillian Tsang MBA

Senior Data Protection and Privacy Solicitor
Lillian is an experienced data protection and privacy lawyer who qualified in 2008. She advises clients on a broad range of matters - from strategic compliance with a global stance to day-to-day operations. Her role also includes Harper James' Head of DPOaaS division (Data Protection Officer as a Service), where we act as the external DPO for a business or provide support to existing DPOs.


What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.


Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Capital Tower Business Centre, 3rd Floor, Capital Tower, Greyfriars Road, Cardiff, CF10 3AG
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe


To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry