There is often some confusion between the terms ‘Transfer Impact Assessment’ and ‘Transfer Risk Assessment’ in the data protection world.
In reality, both are essentially the same requirement under data protection laws, depending on whether an organisation is subject to the UK or EU data protection law regime. This is because since Brexit, the UK has its own data protection law regime known as the ‘UK GDPR’ which is separate to the ‘EU GDPR’ (although the two are very similar).
In short, both terms describe an assessment which organisations must undertake to evaluate whether sending personal data to certain countries outside of the UK or EU can be carried out lawfully.
This is a complex and fast-changing area of law, so always seek legal data protection advice if you're unsure of your obligations.
Transfer Impact Assessments under the European Data Protection Law Regime
A ‘Transfer Impact Assessment’ is an assessment used for transfers of personal data between EU and certain non-EU countries. This is part of a framework to ensure that when personal data is transferred outside of the EU, it’s still protected in the same way it is under the EU GDPR. Essentially, this applies to organisations subject to the EU GDPR where they are transferring personal data outside of the EU in certain circumstances.
The EU law approach stems from the recommendations of the European Data Protection Board (EDPB) and requires (amongst other things) an assessment of the laws and practices of the country to which personal data will be sent, to assess the risks involved in transferring the personal data.
This approach requires organisations to consider the safeguards in place and third-party access to personal data in third countries (particularly governments).
See our article ‘Transfer Impact Assessments’, where we’ve explained the steps to follow when carrying out a Transfer Impact Assessment. As highlighted, these are practically very difficult assessments to undertake with several complex recommendations from the EDPB to consider, including considering the laws and practices of the countries to which personal data will be sent (which can be very tricky to assess without taking international law advice).
Transfer Risk Assessments under the UK Data Protection Regime
As set out in our article ‘Transfer Impact Assessments’, a Transfer Risk Assessment allows organisations subject to the UK GDPR to make ‘restricted transfers’ of personal data from the UK to certain countries outside of the UK lawfully.
A Transfer Risk Assessment is essentially the UK equivalent of a Transfer Impact Assessment and must be completed where an organisation makes a transfer of personal data outside of the UK using the ICO’s International Data Transfer Agreement, European Commission Standard Contractual Clauses with a UK Addendum or Binding Corporate Rules.
The ICO has published a helpful template Transfer Risk Assessment tool with detailed questions for businesses to answer, including guidance and examples of risk levels for different categories of personal data.
The ICO has attempted to take a different approach to the European position, which balances both the rights of individuals and provides a proportionate approach for businesses conducting the assessment.
For example, the ICO’s approach focusses on matters such as:
- Assessing if a specific transfer will increase the risk to people’s privacy and rights, compared to if their personal data stays in the UK.
- Considering the general risk to people’s human rights if their personal data is transferred to another country outside of the UK.
The ICO’s approach is more focussed upon an assessment the risks of individual data transfers, rather than assessing if the laws of the recipient country provide comparable protection of personal data.
The ICO allows organisations needing to conduct a Transfer Risk Assessment to choose between using its own Transfer Risk Assessment tool, or the EU’s Transfer Impact Assessment guidance and approach. However, it seems that the ICO’s Transfer Risk Assessment tool will be easier for businesses to use in practice.
Businesses should make sure they understand when the requirements to carry out a Transfer Impact Assessment and Transfer Risk Assessment apply and that they understand the criteria for the relevant assessments properly. The requirements for carrying out these assessments are complicated and require careful analysis.
For UK based businesses and in particular small businesses, the ICO’s reasonable and proportionate approach and Transfer Risk Assessment template may provide a more practical tool for businesses to use. However, businesses operating in or providing services to the EU (or whose personal data transfers are more complex) may consider using the EU’s Transfer Impact Assessment approach and guidance.
Businesses should closely follow guidance issued by the data protection regulators on this topic and make sure they carry out the relevant assessments correctly so that that their international transfers of personal data are made lawfully.
This article provides high-level information on the key differences to note, however our team can help with providing detailed advice on the legal requirements and advise you on which assessments you need to carry out for your business transfers (particularly if your business operates in both the UK and EU).