The UK Information Commissioner’s Office (the “ICO”) published new guidance on transfer risk assessments (“TRAs”) and a template for carrying out a TRA.
All businesses are required to carry out TRAs, also known as local law assessments or transfer impact assessments, when transferring personal data subject to the UK GDPR outside the United Kingdom using the international data transfer agreement (the “IDTA”), the European Commission’s standard contractual clauses with the UK addendum (the “UK Addendum”), or the binding corporate rules.
The new guidance is reportedly designed to provide organisations subject to the UK GDPR with a more pragmatic, risk-based approach without requiring them to carry out new assessments if they already followed the recommendations published by the European Data Protection Board.