What Is a Transfer Risk Assessment?

Data protection law heavily regulates the transfer of personal data to certain countries outside the UK. If your business transfers personal data outside the UK, you must carefully consider and, where required, comply with various legal rules. One essential legal requirement involves carrying out a transfer risk assessment. This article will explore what a transfer risk assessment means under UK data protection laws. 

Why Are International Data Transfers High Risk? 

Businesses processing personal data must be extra cautious when sending personal data overseas. The UK General Data Protection Regulation (UK GDPR) sets strict rules to safeguard personal data, particularly when a business intends to send it outside the UK. 

Generally, your business cannot transfer personal data outside the UK unless it can rely upon a valid exemption. Some countries do not have robust data protection laws, so transferring personal data to those countries could put individuals’ data at risk. 

However, certain exceptions allow businesses to transfer personal data lawfully overseas, as explored below.

Adequate Countries 

A common exception is when an organisation seeks to transfer personal data from the UK to a country deemed to have an ‘adequate’ level of data protection. 

See our article here for further information about countries that are considered adequate. You may freely transfer personal data to such countries. 

Appropriate Safeguards 

Organisations can still transfer personal data to other countries that are not adequate; however, they must put in place “appropriate safeguards”, such as unique data protection contracts approved by data protection regulators. These contracts help ensure that personal data is protected when sent overseas. 

Common appropriate safeguards include the UK’s International Data Transfer Agreement, a pre-approved contract produced by the UK data protection regulator to provide a framework and rules around transfers of personal data outside the UK. 

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

UK companies can also use the European Commission’s Standard Contractual Clauses (SCCs) to achieve the same goal, so long as they use the UK data protection regulator’s UK Addendum document alongside the SCCs. 

Other appropriate safeguard methods, such as Binding Corporate Rules and Approved Codes of Conduct, are also possible, though these measures are rarer. 

What Is a Transfer Risk Assessment?

When an organisation seeks to carry out a ‘restricted transfer’ to a country outside the UK using appropriate safeguards under Article 46 of the UK GDPR, conducting a comprehensive transfer risk assessment is crucial. This assessment is mandatory under certain circumstances, as data protection laws legally require it.

A business must carry out this assessment in scenarios including where a business:

• is using the ICO’s International Data Transfer Agreement, or EU SCCs, together with the UK Addendum document; and
• relying on Binding Corporate Rules.

It is vital to understand when a transfer risk assessment is mandatory. The evaluation aims to ensure that individuals’ data will be protected when transferred to certain countries outside the UK. For instance, a transfer impact assessment can determine whether an organisation needs to implement supplementary measures to safeguard personal data when sent outside the UK. 

How Do I Carry Out a Transfer Risk Assessment?

The UK’s data protection regulator offers two distinct approaches for conducting this assessment. 

Businesses can either:

• conduct the transfer impact assessment by comparing the risks posed to individuals’ personal data if it remains within the United Kingdom versus their data being transferred outside. This approach requires careful privacy and human rights considerations, prompting organisations to evaluate whether transferring personal data beyond the UK entails significant risks to individuals’ privacy and human rights. If no significant risk is identified, the transfer may go ahead. This is the ‘UK approach’ of the ICO, the UK data protection regulator. The ICO has produced a valuable tool for businesses to complete this assessment; or
• alternatively, organisations can opt for the approach endorsed by the European Data Protection Board under EU law. This method entails assessing the legal framework and practices of the destination country compared to those of the UK. Organisations must scrutinise the personal data safeguards in the destination countries, especially concerning protection from third-party access, such as government agencies.

Organisations have the flexibility to choose between these alternative approaches. A company with EU and UK operations may select the second EU option, while a UK-only business may find the first option more accessible. Regardless of the route adopted, it is vital to document your transfer risk assessment as evidence of compliance. 

Properly conducting a transfer risk assessment can be a highly complex endeavour. If you require assistance with any aspect of this process, you can consult a data protection lawyer. 

Key Takeaways

A transfer risk assessment is a vital task for UK GDPR compliance. This assessment is mandatory in some instances and requires detailed review and analysis. The essential purpose of this assessment is to assess whether your business can proceed with your intended international data transfer. 

A transfer impact assessment is a crucial exercise to comply with data protection laws and ensure the safeguarding of personal data when sent to countries that do not afford the same level of protection to personal data as in the UK. 

If you need support with a transfer risk assessment, LegalVision’s experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.