Today, the ICO has published a suite of new international transfers guidance, including its long awaited final guidance on ‘transfer risk assessments’ (TRA). The new guidance follows the ICO’s consultation on international data transfers during the summer of 2021, when it published a draft TRA tool for consultation along with a list of consultation questions on how its international transfers guidance should be updated, as well as the first draft of the (subsequently finalised) International Data Transfer Agreement (IDTA) and EU Addendum.
The ICO has now published the final guidance developed in light of that consultation, including:
- updated guidance on international transfers;
- a new guidance section on TRAs; and
- a new TRA tool.
The ICO’s international transfers guidance has been significantly amended, with more detail and examples added, including in relation to the definition of “restricted transfers” and on the Article 49 exceptions. For example, the new guidance includes more analysis on international transfers from processors to sub-processors, independent processors and controllers (both third party and their own) – reflecting the outcomes to some of the thorny questions asked in the ICO’s initial consultation paper. While this detail may assist organisations with sophisticated data privacy teams, there may be a risk that the new longer guidance is harder to process and implement for some SMEs.
In her blog announcing the publication of the new guidance, Emma Bate, Director of Legal Services at the ICO, confirmed that the new TRA guidance puts forward an “alternative, achievable” approach to that of the EDPB. The ICO states it is aiming to deliver “the right protection for the people the data is about, whilst ensuring that the assessment is reasonable and proportionate”. A freshly pragmatic approach from the ICO is likely to be welcomed by organisations – as there was widespread concern about the difficulty of the process following the publication of the draft TRA tool. However, only over the coming weeks and months, through assessment and application, will it become clear whether the ICO’s approach is substantively different in practice to that of the EDPB, given, for example, that the ICO’s methodology still requires assessment of the recipient country’s human rights record.
The ICO has attempted to make the TRA tool as user-friendly for organisations as possible, breaking the TRA process down into six questions with tick-box tables to complete at each stage, with an annex outlining the likely level of risk posed by different types of data (scored low-to-high). The ICO also helpfully acknowledges that organisations do not need to use the ICO TRA format, and can use other methods for TRAs as long as they keep a record of their assessment. The TRA guidance also usefully makes clear at the outset that organisations can comply with the EDPB approach to transfer assessments as an alternative to that put forward by the ICO for UK transfers. This will be particularly welcome to organisations operating across the UK and Europe. As a consequence, however, the ICO’s potentially more pragmatic guidance may have limited operational utility for those organisations operating internationally, with the EDPB approach remaining the default, unless the European authorities also recognise the validity of the UK TRA for EU GDPR transfers. Perhaps optimistically, we may also hope that the ICO’s approach may influence and inform future updates to the EDPB’s equivalent guidance (Recommendations 01/2020).
For those organisations with complex supply chains, the new TRA guidance seeks to answer some of the difficult questions about who is responsible for carrying out TRAs. For example, it confirms that, subject to exceptions, if you are a controller, and your processor is making the restricted transfer, only the processor must complete the TRA.
The ICO has confirmed that they will now be working on clause-by-clause guidance to the IDTA and the EU Addendum and will be adding further worked examples to their TRA guidance. They have also promised to hold listening exercises about organisations’ experiences next year.
In the meantime, we will all be continuing to work through the implications of this significant new guidance in practice and are looking forward to sharing our thoughts at our Data Privacy Forum on 6 December!