Sharing of data with foreign countries must be done cautiously considering the risk attached to it. Recently, UK Information Commissioner’s Office (“ICO”) published new guidelines and a template for carrying out Transfer risk assessment (“TRA”). As per UK GDPR an organization has to mandatorily carry out TRA while sharing personal data which is subject to UK GDPPR with countries outside UK.
While carrying out TRA an UK based business must consider the following six questions:
- What are the specific circumstances of the transfer?
- What is the level of risk to people in the personal information you are transferring?
- What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organization?
- Is the transfer significantly increasing the risk for people of a human rights breach in the destination country?
- (a) Are you satisfied that both you and the people the information is about will be able to ensure the Article 46 transfer mechanism against the importer in the UK?
(b) If enforcement action outside the UK may be needed: are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country (or elsewhere)?
- Do any of the exceptions to the restricted transfer rules apply to “significant risk data” (i.e. data that an Article 46 UK GDPR transfer mechanism does not provide appropriate safeguards for)?
ICO has also provided a TRA tool (template) which can be used by organization to carry out TRA while sharing personal data outside UK. The detailed template can be accessed at https://www.mayerbrown.com/en/perspectives-events/publications/2022/12/icos-updated-guidance-on-international-personal-data-transfers-offers-an-alternative-approach-to-carrying-out-transfer-risk-assessments