Many organisations have been struggling with a GDPR grey area since the Schrems II litigation.
The CJEU invalidated Privacy Shield and added extra layers of risk assessment to the use of Standard Contractual Clauses (SCCs), making compliant personal data transfers to the US complicated to achieve.
Until now, the only guidance available on how to conduct a Schrems II risk assessment has been a dense document from the European Data Protection Board – so, not directly relevant to UK GDPR.
The ICO has now launched a consultation on its own approach to restricted transfers.
The consultation includes a draft International Data Transfer Agreement (IDTA) – which will be the UK equivalent of SCCs going forward.
It also includes guidance on how to approach the kind of transfer risk assessment (TRA) now required as a result of Schrems II.
For many organisations, personal data transfers to the US are unavoidable – either because of group structure, the need to outsource certain functions or due to the location of sub-processors engaged by commercial partners. But putting in place appropriate safeguards and risk assessing these arrangements has been difficult due to the lack of official guidance.
The ICO’s TRA tool for data exporters is “designed to assist you when making routine restricted transfers… It provides a structured list of questions to work through and tables to help you assess risk at each step”.
Although currently only in draft form, this is a welcome development and will hopefully result in greater clarity for UK data exporters on how to ensure transfers remain compliant with UK GDPR.
The consultation also addresses other international issues, such as the interpretation of Article 3 UK GDPR on extra-territorial scope.
Responses to the consultation are invited until 7 October 2021.