Released on 17 November 2022 by the Information Commissioner's Office (ICO) the updated version of the international transfers section of its Guide to GDPR, includes a new Transfer Risk Assessment (TRA) Guidance and a TRA tool.
The ICO’s TRA tool is one of transfer mechanisms that entities may use to comply with the requirements under article 46 of the UK The General Data Protection Regulation (GDPR).
In conducting its TRA, an organization must carry out a reasonable and proportionate analysis on the following:
Risks to people’s rights arising in the destination country from third parties accessing the information, in particular government and public bodies.
Risks to people’s rights arising from difficulties enforcing the Article 46 transfer mechanism.
To make a restricted transfer of personal data using ICO’s approach, concerned entities shall carefully consider in what capacity they are acting.
Controllers relying on a processor to make the restricted transfer are not required to complete the TRA; only the processor is responsible for completing the TRA.
Receiving entities sending the data to third parties may be required, where applicable, to carry out a TRA.
Entities making a series of connected, repeated or similar restricted transfers, shall carry out a TRA for each restricted transfer or one TRA that covers all of them.
An alternative to the ICO TRA tool is the transfer impact assessment (TIA) methodologies based on the European Data Protection Board (EDPB) guidance.