Major update to ICO international transfers guidance: key takeaways for organisations

The UK Information Commissioner’s Office (ICO) has published a major update to its international transfers guidance to help organisations navigate the UK GDPR transfer regime. As well as addressing changes made by the Data (Use and Access) Act (DUA Act), the guidance has been restructured and reworded to be clearer. The regulator has also provided new content to clarify common previous areas of uncertainty. As the updates run across nine pieces of new and reworked guidance (available here), we have digested below a few key insights. 

Who needs to comply with the transfer rules? 

The ICO reminds us of the three-step test. In summary, this is:

• Does the UK GDPR apply to our processing?
• Are we initiating the transfer to someone outside the UK?
• Is the organisation we’re transferring to a separate legal entity? 

Helpfully, the supporting content includes useful additions and clarifications, including:

• some (albeit limited) colour on the UK GDPR’s territorial scope. The guidance sets out the requirement for a ‘stable UK presence’ and ‘real and effective’ activities for an organisation to have a UK establishment and for an organisation to ‘specifically target’ UK individuals with offers of goods/services to be within the UK GDPR’s remit.
• the ICO’s approach to determining responsibility for complying with the transfer rules has been streamlined to focus only on who is ‘initiating’ the transfer, rather than ‘initiating and agreeing’ under the previous guidance. This approach is then applied to a broader range of scenarios. For example, the guidance explains that where a UK organisation contracts with a non-UK company but the non-UK company has a UK subsidiary which in reality receives the data flows, the transfer should be dealt with as if the data was flowing to the non-UK party that contracted for it.
• on transfers to cloud service providers and to overseas servers, with the three-step test (above) confirmed to be applicable to each. 

Greater emphasis on ‘other’ GDPR obligations 

There is a substantial new guidance section emphasising the other UK GDPR rules (outside Chapter V) that controllers and processors must each comply with in connection with international transfers. 

Onwards transfers (and supplier diligence)

The guidance clarifies that the organisation making the initial international transfer does not need to carry out transfer risk assessments (TRAs) for onwards transfers by its overseas receivers. However, it must make sure that contractual protections for onward transfers are included in its standard data protection clauses (IDTA or Addendum, or other appropriate safeguard) with its receivers, and that the safeguard is enforceable. 

In addition, as part of the diligence checks carried out on overseas receivers (as part of broader GDPR compliance), organisations should assess how initial receivers and their subsequent receivers comply with data protection obligations. The level of detail required in these checks should reflect the risks posed to individuals and the likelihood of information being further transferred. Depending on the risks identified, the ICO suggests the exporting organisation could review the initial receiver’s contracts and/or TRAs for onward transfers, or include a contractual right to do so, which is a lighter-touch reflection of the position taken by the EDPB (discussed in this blog).

IDTA/Addendum and incorporation by reference

The ICO has pragmatically recognised that the IDTA and Addendum can be incorporated into wider contracts by reference but has set out some new concrete requirements for organisations on how to do so. These include particular reference wording that should be used (see here).

Consistency prioritised following DUA Act 

Despite the DUA Act’s substantial changes to the UK GDPR’s international transfer provisions (outlined here), the ICO has minimised the impact for organisations and made only light-touch changes. For example, the ICO states that although the UK’s new “not materially lower” than UK law standard differs from the EU’s “essentially equivalent” standard, “the principle is the same” in requiring the protection for people to not be undermined. Helpfully, the guidance confirms that TRAs carried out following previous ICO guidance will meet the latest requirements and don’t need to be redone. 

Outlook

It is clear the ICO is looking to make the regime easier for businesses to navigate and these updates should broadly be welcomed as addressing common areas of uncertainty and friction in the complex transfers regime. However, those looking to update compliance practices for these changes should take note. This is only the mid-point in this regulatory project. The ICO has confirmed work is ongoing and that it will be updating its IDTA and Addendum documents during the course of this year to reflect DUA Act changes, with clause-by-clause guidance on them to follow. International transfers is back on the agenda for 2026.