Transfer risk assessments

06 December 2023 - We have updated this guidance to makes clear that analysis produced by the UK Government when making adequacy regulations for the UK Extension to EU-US Data Privacy Framework can be relied on when conducting a TRA for a restricted transfer to the US. The update can be found under the ‘What is a transfer risk assessment (TRA)?'

In brief

UK GDPR contains rules about transfers of personal data to receivers located outside the UK, which we refer to as restricted transfers.

One way to comply with UK GDPR rules on restricted transfers is to put in place an Article 46 transfer mechanism. These are the “appropriate safeguards” listed in Article 46 of the UK GDPR. Examples are the ICO’s International Data Transfer Agreement (IDTA), the Addendum to the EU SCCs (the Addendum) and Binding Corporate Rules (BCRs).

If you are relying on an Article 46 transfer mechanism you must carry out a transfer risk assessment. This risk assessment will help you consider whether, in the circumstances of the transfer and with your chosen Article 46 transfer mechanism in place, the relevant protections for people under the UK data protection regime will be undermined.

Understanding and assessing risk is embedded into UK GDPR. When you decide what measures to put in place to comply with UK GDPR, you must take into account “risks of varying likelihood and severity for the rights and freedoms of natural persons” (Article 24).

The Schrems II judgment confirmed the role of risk assessments in the rules on restricted transfers. The Court said that before you may rely on an Article 46 transfer mechanism to make a restricted transfer, you must carry out a risk assessment. This is therefore a requirement under UK data protection laws.

Further Reading

Schrems II judgment of the CJEU

External link

How and when to use this guidance

This guidance is relevant to you, if you are:

This guidance will help you to understand when and how to carry out a transfer risk assessment (TRA).

What is a transfer risk assessment (TRA)?

Carrying out a TRA helps you ensure that, in the specific circumstances of your restricted transfer, the Article 46 transfer mechanism will provide appropriate safeguards, and effective and enforceable rights for people.

There are two broad types of risk you must consider in your TRA:

There are three approaches to conducting a TRA, in particular for the first set of risks: