top of page
  • Writer's pictureDeborah
    • Feb 7

Released on 17 November 2022 by the Information Commissioner's Office (ICO) the updated version of the international transfers section of its Guide to GDPR, includes a new Transfer Risk Assessment (TRA) Guidance and a TRA tool.

The ICO’s TRA tool is one of transfer mechanisms that entities may use to comply with the requirements under article 46 of the UK The General Data Protection Regulation (GDPR).


In conducting its TRA, an organization must carry out a reasonable and proportionate analysis on the following:

  • Risks to people’s rights arising in the destination country from third parties accessing the information, in particular government and public bodies.

  • Risks to people’s rights arising from difficulties enforcing the Article 46 transfer mechanism.

To make a restricted transfer of personal data using ICO’s approach, concerned entities shall carefully consider in what capacity they are acting.

  • Controllers relying on a processor to make the restricted transfer are not required to complete the TRA; only the processor is responsible for completing the TRA.

  • Receiving entities sending the data to third parties may be required, where applicable, to carry out a TRA.

  • Entities making a series of connected, repeated or similar restricted transfers, shall carry out a TRA for each restricted transfer or one TRA that covers all of them.

An alternative to the ICO TRA tool is the transfer impact assessment (TIA) methodologies based on the European Data Protection Board (EDPB) guidance.


Recent Posts

See All

Virtual Assets (VAs) or crypto assets refer to : “any digital representation of value that can be digitally traded, transferred or used for payment. It does not include digital representation of fiat

10 Aug 2023 - Deadline to submit comments to FCA Guidance Consultation (GC23/1) on crypto asset financial promotions. 5 Sep 2023 - Effective date of SEC Cybersecurity Risk Management, Strategy, Govern

bottom of page