Many companies engage in a complex web of data transfers – which can include email addresses, phone numbers, employment details, and financial information – to overseas recipients. If you are transferring personal data from the UK, it is likely that you will need to undertake a transfer risk assessment (TRA) before you hit ‘send’. And although you may want to scream in frustration at the thought of having to direct resources to yet another ‘risk assessment’, remember, demonstrating data protection compliance can give you a competitive edge. According to recent research, over the past 12 months, 85% of consumers said they deleted a phone app, 82% opted out of sharing personal data, 78% avoided a particular website, and 67% decided against making an online purchase due to privacy concerns. Making data stewardship a core company value will benefit your business and keep regulators off your back.

When does a data transfer fall under the scope of the UK GDPR?

Risk management is at the heart of GDPR compliance. Article 24 of the UK GDPR states organisations must consider “risks of varying likelihood and severity for the rights and freedoms of natural persons.”

Transferring data to the EU/EEA

In June 2021, the European Commission granted the UK adequacy, meaning that its data protection rules and regimes adequately matched the protection provided under the EU GDPR. As a consequence, data can flow freely between the UK and EU/EEA States, with the exception of personal data transferred from the EEA for the purposes of UK immigration control, or data which would otherwise fall under the scope of the immigration exemption in Data Protection Act 2018.

Transferring data to the third country

Article 46 of the UK GDPR regulates the transfer of personal data to a third country or an international organisation in the absence of adequacy regulations. The provision requires that the controller or processor provides appropriate safeguards for the data, and that the data subjects have enforceable rights and effective remedies in case of any breach or violation.

The main appropriate safeguards are the Template International Data Transfer Agreement (IDTA) and the Template International Data Transfer Addendum to the EU’s Standard Contractual Clauses SCC (the Addendum). Collectively these are essentially the UK version of the EU SCCs which were updated in June 2021. Other appropriate safeguards include:

Binding corporate rules (BCRs).
Approved codes of conduct.
Approved certification mechanisms.

Following the decision in The European Court of Justice of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems Case C-311/18, (known as Schrems II), which invalidated the Privacy Shield, a programme that allowed EU businesses to transfer data to the US, you must undertake a TRA to ensure, on a case by case basis, that the personal data (and data subjects) remain protected to the required standard under GDPR. A TRA must be completed regardless of whether you have used an IDTA, the Addendum, SCCs or a mixture of all three.

What is a Data Transfer Risk Assessment?

The purpose of a TRA is to ensure that when personal data is transferred outside of the UK or EEA to a third country the level of protection offered under the GDPR is maintained for the lifetime of the transfer, by identifying any risks and mitigating those risks where necessary. The Schrems II decision found that, on its own, an approved safeguard may not effectively guarantee that the transferred data is adequately protected. Therefore, the aim of conducting a TRA is to:

Identify the risks that may result in the data being compromised.

Analyse the impact of identified risks on the data to be transferred.

Discover and put in place appropriate risk mitigations and any supplementary measures required to safeguard the data. These measures should be in addition to the approved safeguards under Article 46.

If the risk cannot be mitigated and no supplementary measures can provide appropriate safeguards, the transfer should be terminated.

Data exporters must take an active role in assessing and mitigating data transfer risks. Furthermore, to ensure you comply with the UK GDPR accountability requirements, you must document the steps taken when the TRA was conducted.

How do I conduct a GDPR transfer risk assessment?

The Information Commissioner’s Office (ICO) recommends two options for conducting TRAs:

• The ICO’s TRA tool approach – asks the key question “as a result of the transfer, is there any increase in the risk to people’s privacy and other human rights, compared with the risk if the information remains in the UK”. If the answer is no, the transfer can proceed.

• The European Data Protection Approach (EDPB) – involves comparing the laws and practices of the importing country against the UK, particularly in terms of data protection safeguards. The safeguards do not need to be identical; however, they must be similar.

You can use other risk assessment tools, but they must meet the ICO’s criteria and/or standard. In complex data transfers, the ICO’s TRA tool may be too limited. The EDPB will be more useful in such cases, but you will probably need assistance from the importer to get a good grasp of their country’s data protection and privacy laws and practices.

And just how is a busy organisation or an SME supposed to do all the above?

If you have read this far, your jaw may need picking up off the floor. There is no doubt that as far as compliance goes, undertaking a TRA every time you want to transfer data to a third country is a mammoth ask.

The best way to manage compliance under Article 46 of the GDPR and Schrems II is to outsource your TRAs. An external risk management and legal specialist will not only have the knowledge and resources available to undertake a TRA, they can ensure all the documentation is completed correctly. That way, if the data is compromised, you can be confident that you have ample evidence to show ICO investigators that you met the data transfer compliance requirements.

To find out more about any matters discussed in this article, please email us at info@43legal.com or phone 0121 249 2400.

The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article, please contact 43Legal.