Data transfers outside the UK are commonplace for businesses and almost impossible to avoid. Nevertheless, the risks to the rights and freedoms of the data subjects must be appropriately safeguarded in the case of these so-called restricted transfers. Data may only be transferred if a company can reduce the risks for the data subjects to zero or at least to a low level. To evaluate these risks and appropriate measures a Transfer Risk Assessment (TRA) is necessary.
Restricted country transfers
The UK GDPR regulates the transfer of data to third countries in Chapter V. The measures mentioned therein, such as adequacy decisions or International Data Transfer Agreements (IDTAs), are intended to ensure and enforce the UK’s level of data protection in the restricted country as well. In the case of adequacy decisions, the UK government, and the EU Commission, prior to the UK’s withdrawal from the EU on 31 December 2020, awarded the recipient country a level of data protection comparable to that of the UK. Accordingly, no further measures need to be taken.
However, if other transfer mechanisms such as ITDAs or other mechanisms according to Art. 46 UK GDPR are to be agreed, it must be evaluated whether these are also enforceable. The risks posed by deviating regulations in the recipient country must be evaluated and assessed.
The UK GDPR is already familiar with the concept of risk assessments in Art. 24. Here, “risks of varying likelihood and severity for the rights and freedoms of natural persons” are to be examined. This should also be applied to Chapter V of the UK GDPR, as the Schrems II ruling of the European Court of Justice (CJEU) also makes it clear that the feasibility of transfer tools under Art. 46 of the GDPR must be evaluated and the risks for data subjects in the restricted country assessed. The ruling remains valid as EU case law prior to withdrawal from the EU.
This now means that companies must determine the risks before transferring data to restricted countries without an adequacy decision. This evaluation is called a Transfer Risk Assessment.
Transfer Risk Assessment tool of the ICO
As a company, you should already have mapped your data flows and therefore know, when you transfer personal data outside the UK and what transfer mechanism you can rely on. As a next step, you need to conduct the TRA.
The Information Commissioner’s Office (ICO) published a TRA Tool to guide companies and provide them with the necessary equipment to conduct a legally compliant Transfer Risk Assessment. Companies are not bound to use this tool but can also introduce their own approach if this touches every relevant aspect of the transfer and the possible imposed risks.
The ICO’s TRA tool is divided into six questions and provides guidance after each block on how to proceed. In this way, the transfer of data can already take place after question two if the risks are low, as the risks of causing harm to the affected parties are very low.
The first question addresses the specific circumstances of the restricted transfer, or short your data mapping. Companies have to provide information on themselves and the data importer such as their status as controller or processor, the duration of the transfer, the data categories, the data subjects and the technical and organizational measures of both parties. Companies are well advised to have this information for all their processes to address requests of data subjects and authorities to the necessary detail.
Question two is factored as a table and addresses the general risk to the data transferred. This means that it is not yet about the risks in the restricted country, but about the general risk when processing this type of personal data, even if it is processed within the UK.
You need to provide information on the type of data, its initial risk level, low, moderate or high harm risk, as well as aggravating and mitigating factors to increase and reduce the risk level. There is also space for additional factors and your final risk score. Aggravating factors can be the confidentiality level of data, if a large volume of data on one data subject is processed or the data concerns children. Mitigating factors are a high level of encryption or pseudonymization, for example.
If your final risk score is low, the transfer is possible and you do not need to move to question three. However, coming to the conclusion of moderate or high harm risks leads means you need to continue with question 3.
Within the third question, investigations are now being carried out on the destination countries. You should consider three factors which are:
- The risk level you identified in question two,
- The size of your organization and your resources, and
- The total volume of data you are transferring.
According to the relevant investigation level, you need to investigate to more detail the higher the risk may be. The TRA tool gives some examples of the depth of detail within question three.
Thereafter, in question four, you need to evaluate the risks and impacts on Human Rights such as right to life, freedom of expression, right to no discrimination or the right to respect for private and family life. To evaluate the risks, you need to consider you investigations of question three and if and how Human Rights may be impacted.
The next step of the assessment is the evaluation of the enforceability of the Art. 46 UK GDPR transfer mechanism, such as the IDTA. Key factor here is whether the data importer will accept UK court decisions. Factors are appropriate insurance of the data importer, evidence that such decisions have already been acknowledged or if there are professional rules where you could complain to an oversight body.
The final Question addresses Art. 49 UK GDPR and the therein mentioned exceptions which allow data to be transferred in those specific circumstances. Such circumstances are importance of public interest or explicit consent of the data subject. You need to be aware that you need to overcome high thresholds can use those exceptions as a legal basis for restricted transfers.
At the end, you need to evaluate each risk level of each of the six questions which tell you if your transfer to a restricted country is possible or not. You get the answer after each question separately and need to bring them together at the end.
Please also note that the TRA Tool comes with an Appendix which provides you with some help and insight. For example, there is a table of categories of personal data and their initial risk score which you need to fill in in question two. If you wish to use your own approach on a TRA, this can still be a useful resource of information. However, to touch al necessary aspects of the Transfer Risk Assessment, it is advisable to use the ICO’s provided tool.
Tip: The TRA tool can be downloaded from the ICO website.
How should you deal with the results of the TRA?
Next steps for UK companies are, if not already done, to conduct their necessary Transfer Risk Assessments and then act accordingly to their outcomes. Such acts can be the implementation of further measures which can be technical, organizational or contractual.
Additional guidance, especially for such measures and mitigating factors to reduce the risk levels can be the European Data Protection Boards Guideline on additional measures for third country transfers.
Only when satisfied that the restricted transfer does not impose high risks for the data subjects concerned, those transfers can proceed. Otherwise, UK companies should consider national service providers as an alternative.