How-to guide: How to transfer personal data lawfully outside the UK (UK)

Updated as of: 02 March 2025

Related contract templates:

International Data Transfer Agreement (UK GDPR)

Introduction

This guide will inform in-house counsel and private practitioners about how to lawfully transfer personal data outside the UK. The guide can also assist them when advising internal or external clients about these issues.

This guide is UK-focused and reflects the requirements of the UK General Data Protection Regulation (GDPR) as defined in part 1, section 3, Data Protection Act 2018 (UK DPA 2018), but also covers:

  • general requirements under the EU GDPR, as these may still be relevant to some UK organisations to which the EU GDPR applies due to the application of the extra-territorial scope provisions in article 3(2), EU GDPR; and
  • the Information Commissioner’s Office’s (ICO) interpretation of such EU GDPR requirements.

However, it does not address any local European Economic Area (EEA) data protection law requirements or interpretation of the EU GDPR by EEA data protection regulators.

This guide covers the following:

  1. What is a (restricted) transfer of personal data?
  2. How to transfer personal data lawfully outside the UK
  3. Failure to comply with data transfer requirements
  4. How to approach a data transfer project

Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’, ‘international organisation’, ‘third country’, ‘EU GDPR’, ‘UK GDPR’, and ‘processing’ are further explained in How-to guide: Understanding key data protection definitions.

This guide is intended to be used in conjunction with Checklist: Making a restricted transfer of personal data under the UK GDPR. The checklist is designed to help you decide which steps you need to follow and which actions you need to take to ensure that you are making a restricted transfer of personal data in compliance with the UK GDPR.

This guidance reflects the UK’s current position on personal data transfers as at the date of publication and does not include any further updates on future data transfer developments, such as under the impending UK Data (Use and Access) Bill. This and other relevant developments in this fast-moving area of law should be monitored.

Section 1 – What is a (restricted) transfer of personal data?

In this guidance, we refer to the organisation sending data outside the UK as the ‘data exporter’ or ‘exporter’ and the party outside the UK receiving the data as the ‘data importer’ or ‘importer’.

The UK GDPR does not provide a legal definition of a ‘restricted transfer’ of personal data to a third country or to an international organisation. However, the ICO interprets a restricted transfer to take place when all the following apply:

  • the UK GDPR applies to the personal data being transferred;
  • the exporter is sending data or making it accessible to a data importer located outside the UK; and
  • the importer and the exporter are legally distinct entities.

If all the criteria above are met, then it means that there is a restricted transfer taking place to a third country or to an international organisation. A restricted transfer is frequently also referred to as a ‘transfer’, an ‘international data transfer’, or a ‘cross-border transfer of personal data’.

The European Data Protection Board (EDPB) has also provided guidance on the requirements on restricted transfers in their Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR. The EDPB Guidelines are framed in similar but slightly different terms to the ICO guidance. EDPB guidelines are not binding in the UK after the Brexit transition period ended in December 2020. However, the ICO has agreed that EDPB guidelines continue to provide useful guidance regarding certain matters even after Brexit.

1.1 The UK GDPR applies to the personal data being transferred

The scope of the UK data protection framework is set out in articles 2 (Material Scope) and 3 (Territorial Scope), UK GDPR and section 207, DPA 2018. If the data exporter is in the UK, then the UK GDPR will apply to them and any restricted transfers that they make.

In some cases, the UK GDPR can apply to a controller or processor located outside the UK (eg, if they are located outside the UK but ‘target’ data subjects located in the UK – also known as the ‘targeting criterion’ under article 3(2) of the UK GDPR). The targeting criterion means that the UK GDPR will apply to the processing of personal data of data subjects who are in the UK by a controller or processor not established in the UK, where the processing activities relate to:

  • the offering of goods or services to data subjects in the UK; or
  • the monitoring of their behaviour as far as the behaviour takes place within the UK.

If a processor or controller not established in the UK is subject to the UK GDPR under the targeting criterion, the requirements regarding restricted transfers will apply to transfers that they make in the same country or to another third country. For example, if a controller or processor located in Brazil processes the personal data of UK data subjects under the targeting criterion (article 3(2), UK GDPR), any transfer of that data either within Brazil or to any other third country will be subject to the UK GDPR. The exporter will have to take into account that UK GDPR transfer requirements are the same for exporters located in the UK and exporters located outside the UK if the processing falls under article 3(2) of the UK GDPR.

1.2 The exporter is sending personal data or otherwise making it available to a data importer located outside the UK

A transfer can refer to any type of disclosure of personal data or making the personal data available or accessible in some other way. A restricted transfer therefore takes place when a person who is part of a legally distinct controller or processor and is located outside the UK accesses in any way the personal data on another (separate) entity’s system or via a website.

For example, personal data can be ‘made available’ by:

  • creating an account on a website or platform;
  • putting personal data on a website;
  • granting access rights to an existing account;
  • confirming or accepting a request to remotely access the personal data;
  • embedding a hard drive; or
  • submitting a password to a file.

Other common situations encountered in practice that are also considered to be restricted transfers from a UK GDPR perspective are:

  • remotely accessing personal data from a third country – for example, by displaying personal data on a screen, such as for the purposes of support services, troubleshooting or administration; or
  • storing personal data in a cloud environment (either owned by the data exporter or provided by a third-party service provider) hosted on servers outside the UK.

The ICO also clarifies that transfer does not mean the same as transit. Simply electronically routing personal data through a third country (where it is not accessed or stored), does not itself count as a restricted transfer. For example:

Company A (UK) -> temporary US server -> Company B (UK)

The above transfer is from one UK organisation to another (and so not a restricted transfer).

1.3 The exporter and importer are legally distinct entities

The exporter and importer must be separate legal entities. They can be either sole traders, partnerships, companies, public authorities or other types of organisations. Transfers occurring between separate entities within the same corporate group may also be restricted transfers.

However, sending personal data within the same legal entity (eg, sending personal data to an employee of the same entity or between branches or offices that do not have a separate legal personality) will not qualify as a restricted transfer.

1.4 Transfers from processors to controllers

Sending or returning personal data by a processor to their controller (even if located outside the UK) will not be a restricted transfer provided that the controller is the controller of that same personal data (ie, the processor has likely collected the transferred personal data on behalf of that controller).

The personal data transfer is always the responsibility of the controller, as it must always have been initiated and agreed by them, most likely in the data-processing agreement concluded between the controller and the processor. This transfer cannot be restricted as it would be a transfer within the same legal entity (ie, from the controller back to the same controller).

A processor is responsible for complying with the transfer rules if they have initiated and agreed to the data flow, usually to their sub-processors.

Section 2 – How to transfer personal data lawfully outside the UK

Chapter V, UK GDPR (chapter V) sets out the different mechanisms (or ‘appropriate safeguards’) available to data controllers and processors which permit restricted transfers to be carried out lawfully.

To lawfully transfer personal data outside the UK, the data exporter must:

Chapter V sets out a hierarchical approach for the various safeguards. It is designed to ensure that data subjects’ rights are protected when their personal data leaves the UK. These different mechanisms are explained in more detail below.

2.1 Adequacy regulations

If a country is the subject of adequacy regulations issued by the UK’s Secretary of State for Digital, Culture, Media and Sport (DCMS), then the envisaged transfer will not be restricted and can be made freely. In this case, such a transfer will take place in compliance with the chapter V requirements on international data transfers.

As of the date of this guide, the UK has adequacy regulations in relation to:

  • the EEA countries;
  • EU or EEA institutions, bodies, offices or agencies;
  • Gibraltar;
  • countries, territories and sectors covered by the European Commission’s adequacy decisions (in force as at 31 December 2020) including the following countries and territories – Andorra, Argentina, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Republic of Korea, Switzerland, Japan and Uruguay; and
  • a partial finding of adequacy for Canada – this only covers data that is subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

The ICO website provides that Japan has only a partial finding of adequacy. However, on the basis of the European Commission’s findings of adequacy and the UK government’s own interpretation of adequacy, Japan in fact has a full finding of adequacy from the UK.

In addition, the UK Government has concluded adequacy decisions termed as ‘data bridges’ with the Republic of Korea (December 2022) and the United States of America (US)(October 2023). The data bridge with the Republic of Korea is broader than the EU adequacy decision with South Korea, in that it covers personal data transfers but also financial services data transfers such as credit information to facilitate payment verification processes. The data bridge with the US is an extension of the EU-US Data Privacy Framework (EU adequacy decision for safe EU-US data flows adopted by the European Commission during July 2023). This Data Privacy Framework is a bespoke, opt-in certification scheme for US companies and includes as set of enforceable principles and requirements that must be certified and complied with in order for US organisations to be able to join the Framework. US organisations certified under the Framework can opt in to receive data from the UK (only when the relevant US organisations have been certified and publicly placed on the Data Privacy Framework List).

2.2 Appropriate safeguards

If the importing country does not benefit from adequacy regulations, the data exporter may only transfer personal data to a non-UK country or international organisation:

  • if an appropriate safeguard under article 46, UK GDPR has been put in place by either the controller or processor; and
  • subject to enforceable data subject rights and effective legal remedies being available in the importing country.

The different types of appropriate safeguards available are set out in more detail below.

A staged approach is advised when determining how to legitimise restricted transfers of personal data – if there is no adequacy regulation and an appropriate safeguard is not able to be put in place, then the organisation should consider applying one of the exceptions or derogations under article 49(1), UK GDPR, which must be interpreted restrictively (see further section 2.4 below).

2.2.1 Standard contractual clauses (SCCs)

Standard contractual clauses (SCCs) are standardised and pre-approved model data protection clauses that allow controllers and processors to transfer personal data to a third country. They remain the most widely used article 46 appropriate safeguard.

SCCs can refer to:

The New EU SCCs do not form part of the UK’s retained law following Brexit and therefore, they do not automatically validate restricted transfers from the UK.

Any contracts concluded on or before 21 September 2022 can continue to rely on the Legacy EU SCCs to provide appropriate safeguards under article 46(1), UK GDPR until 21 March 2024. Contracts concluded after 21 September 2022 have to use either the IDTA or the UK Addendum together with the New EU SCCs, to comply with the UK GDPR.

Organisations can choose whether to use either the IDTA or the UK Addendum (together with the New EU SCCs) to transfer personal data from the UK to a third country. Note that the ICO has highlighted that the IDTA is more suitable for personal data transferred exclusively from the UK to a third country. For global organisations that are carrying out data transfers from both the UK and the EEA, a combination of New EU SCCs and the UK Addendum is more suitable, as it will need to also incorporate the New EU SCCs.

2.2.2 Binding corporate rules (BCRs)

UK binding corporate rules (BCRs) are legally binding internal organisational rules relied on by UK-based organisations (acting as either controller or processor) in order to perform restricted transfers. UK BCRs can be used by a group of undertakings (ie, a controlling undertaking and its controlled undertakings, more commonly known as a corporate group) or a group of enterprises (ie, a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity) if:

  • both the exporter and the importer have signed up to the same BCRs; and
  • in order to ensure that data subjects’ rights are enforceable, the organisation applying for the UK BCR has a UK-based legal entity that is overall in charge of the UK BCRs.

The UK BCRs’ purpose is that an adequate level of protection is afforded when personal data is transferred across jurisdictions between members of a corporate group, or groups of enterprises engaged in joint activity.

The concept of using BCRs to provide adequate safeguards for making restricted transfers was developed under EU law and is still valid under the UK GDPR (article 47, UK GDPR).

UK BCRs are explicitly recognised under article 46(2), UK GDPR as one of the most appropriate safeguards when carrying out a cross-border data transfer. The ICO regards the use of BCRs as the ‘gold standard’ transfer mechanism.

However, UK BCRs have the following limitations:

  • they rely on all relevant parties having signed up to the respective BCR and therefore cannot be used to cover international transfers of personal data to companies that are outside the corporate group;
  • they are very detailed in terms of the content they need to cover and must be approved by the ICO before they can be used. This process can be lengthy (as processing times can take 18 months or longer), time-consuming (to put together the detailed documentation required), and often costly.

Therefore, in practice, UK BCRs are only used by large, multinational commercial organisations.

On 19 December 2023, the ICO issued an updated Guide to Binding Corporate Rules simplifying the approval process for controllers and processors and also providing details about a new UK BCR Addendum. The UK BCRs comprise the following documents:

  • relevant application form;
  • binding instrument;
  • referential table;
  • BCR policy; and
  • other (relevant) policies and procedures as referenced in the UK BCRs.

Organisations therefore need to evaluate carefully whether UK BCRs are the most appropriate safeguards for their specific transfer scenarios.

Prior to effecting any restricted transfers to high-risk countries (meaning countries that are not considered adequate under UK data protection rules) under UK BCRs, a transfer risk assessment (TRA), see section 2.2.5 below, will need to be conducted.

2.2.3 Approved codes of conduct, approved certification mechanisms, and other transfer mechanisms

Approved codes of conduct

Under the UK GDPR, trade associations and other representative bodies (ie, organisations representing certain categories of controllers or processors) have the option (and are encouraged by the ICO) to develop codes of conduct that identify and address data protection issues that are important to their members. Such a code could cover restricted transfers but would subsequently need to be subject to ICO approval.

More information about codes of conduct see the ICO’s Codes of Conduct.

Approved certification mechanisms

The data exporter can make a restricted transfer if the data importer has received a certification under an ICO-approved scheme. A TRA may be built within the certification scheme or may need to be performed separately.

For more information about approved certification mechanisms see the ICO’s Certification schemes.

2.2.4 Other transfer mechanisms

Entering into bespoke contractual clauses

A data exporter and data importer can also enter into bespoke contractual clauses for the purposes of making a restricted data transfer, subject to the contract being authorised by the ICO for that specific transfer. A TRA may also need to be performed prior to concluding the contract but this will depend on the specific transfer, the content of the contract and any conditions imposed as part of the ICO’s approval.

Administrative arrangements between public bodies

Similar to the above, a restricted data transfer can be made if it falls under the purview of an administrative agreement between public authorities or bodies.

For more information about this mechanism please see the ICO’s guide to international transfers.

2.2.5 Undertaking transfer risk assessments

Solely relying on an appropriate safeguard may not be sufficient to achieve compliance with the restricted data transfer requirements. After the Court of Justice of the European Union’s decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II), organisations should conduct a transfer impact assessment (or TRA) to review whether they provide sufficient protection for data subjects and, if necessary, must take additional measures. Schrems II impacted the restricted data transfer framework in the ways listed below.

  • It invalidated the Privacy Shield mechanism of transferring data to the United States following a review of US surveillance laws (mainly section 702, Foreign Intelligence Surveillance Act, and Executive Order 12333). The decision concluded that these laws do not limit or effectively oversee public authorities’ access to EU personal data. It also confirmed that the Privacy Shield does not effectively provide EU individuals with actionable and effective rights before the courts against such public authorities.
  • It upheld the validity of the SCCs as an appropriate safeguard for transferring personal data to third countries.
  • It introduced the requirement that, prior to relying on any article 46 appropriate safeguard (eg, SCCs, BCRs, etc), the data exporter must perform a TRA.

Schrems II continues to apply in the UK following the end of the transition period as retained EU law.

A TRA does not need to be performed when transferring personal data outside the UK in reliance on an adequacy regulation or an exception (article 49, UK GDPR).

A TRA aims to uphold the level of protection provided by the UK GDPR when a data transfer occurs outside the EEA, for the entire duration of that transfer. This is accomplished by identifying risks and mitigating them as and when necessary. If the risks cannot be mitigated, then the data exporter should not proceed with the transfer.

When assessing the level of protection offered to data and data subjects, the TRA should consider:

  • the destination country’s rules, regulations and overall regulatory landscape; and
  • the importer itself and the protections it offers.

The data exporter will always be responsible for performing the TRA; however, it can ask the data importer for assistance if required. For example, the data importer can provide insight into the destination country’s legal landscape or provide details of the measures the importer has implemented to ensure the protection of the personal data it processes.

The level of protection offered by the importer and the destination country should be ‘sufficiently similar’ to the protections offered under the UK GDPR.

The ICO has provided helpful guidance on TRAs, as well as a TRA tool to assist with this assessment. Using this is not mandatory, so long as your TRA addresses the relevant requirements set out in the Schrems II decision.

The EDPB’s approach (which the ICO also accepts as valid) is published in its final Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data which offers organisations a six-step plan for making sure that the data transfer is in line with the Schrems II decision.

Following completion of the TRA, if it is concluded that the laws of the destination country do impinge on the effectiveness of the relevant article 46 UK GDPR appropriate safeguard, additional measures may be necessary to bring the level of protection up to the UK standard. The most common supplementary measures include contractual measures (eg, imposing requirements on how the importer responds to government access requests) or technical measures such as encryption. In the situation where even with those additional protections in place, there is not ‘essential equivalence’ with the UK GDPR and such measures are insufficient to compensate for any inadequacies of the data importer’s regulatory framework and surveillance practices, the transfer would not be allowed to proceed.

2.3 Exceptions or derogations

If none of the above options are available, the data exporter is left with seeing if one of the specific exceptions or derogations listed in article 49(1), UK GDPR can be applied.

The specific circumstances of the transfer will need to be considered in detail to decide which (if any) may apply to your transfer scenario. Note that, as many derogations cannot be used for regular or frequent transfers or they are subject to restrictive conditions, in practice they tend to not be used often.

The derogations or exceptions are listed below.

  • The data subject gives valid explicit consent which must be both specific and informed. For this to apply, the data exporter needs to provide the data subject with precise details about the restricted transfer and its associated risks. The main barriers to relying on consent are the challenges that may arise if that consent is withdrawn and whether the requirements for valid consent can in fact be met in a specific context, such as for transfers of HR data where the imbalance of power between employer and employee may mean that consent is not ‘freely given’.
  • The transfer must be necessary for the performance of a contract between the data subject and the data exporter, or it must be necessary as a pre-contractual step to enter into the contract. This exception can only be used for occasional restricted transfers. The transfer can happen more than once but not regularly.
  • The transfer is necessary for the performance of a contract made in the interests of the data subject between the controller of the data (usually the data exporter) and another natural or legal person. Again, the transfer must be occasional and not regular. This exception cannot be used by public authorities when exercising their public powers.
  • The transfer is necessary for important reasons of public interest. There must be a UK law which states or implies that this transfer is allowed for important reasons of public interest.
  • The transfer is necessary for the establishment of legal claims, to make a legal claim or to defend a legal claim. However, the exception will need to be used for occasional restricted transfers. The claim will need to have a basis in law and a formally legally defined process. The legal claim can be interpreted widely to include:
    • all judicial legal claims, in civil and criminal law; and
    • administrative or regulator procedures, such as to defend an investigation (or potential investigation) in competition law or financial services regulation, or to seek approval for a merger.
  • The transfer is necessary for the vital interests of an individual (where the data subject is incapable of physically or legally of giving consent).
  • The transfer is being made from a register which under a UK law is intended to provide information to the public.
  • The transfer is one-off, and it is for compelling legitimate interests. This exception is for exceptional circumstances (and requires the ICO to be informed of the transfer). Therefore, it cannot be relied on lightly or regularly. The following conditions must be met in order to rely on this exception:
    • the UK’s adequacy regulations do not apply;
    • there are no appropriate safeguards available;
    • none of the other exceptions apply;
    • the transfer is occasional;
    • the personal data in question must only relate to a limited number of individuals;
    • the transfer is necessary for compelling legitimate interests;
    • the compelling legitimate interests outweigh the rights and freedoms of individuals;
    • a full assessment has been carried out and suitable safeguards put in place to protect the personal data;
    • the ICO has been informed of the transfer; and
    • the data subject has been informed of and had explained the compelling legitimate interest.

The ICO ’s detailed guidance explains each derogation in more detail.

Section 3 – Failure to comply with data transfer requirements

If the data exporter is sending personal data to a third party in a country outside the UK in contravention of the data transfer provisions of the UK GDPR, it can face enforcement action from the ICO or claims from data subjects.

Under part 3, UK DPA 2018, the ICO has the right to issue a monetary penalty for failure to comply with the UK GDPR. The maximum amount is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. This amount is specific to infringements related to any failure to comply with:

  • any of the data protection principles;
  • the requirements to give effect to any rights an individual may have under part 3, UK DPA 2018; or
  • the requirements in relation to any transfers of data to third countries.

Failure to comply with other more administrative requirements may incur a fine of up to £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

The ICO also has powers to order a controller or processor to stop data transfers or other processing activities.

The fines under PECR are due to rise if and when the Data (Use and Access) Bill is passed and comes into effect.

Section 4 – How to approach a data transfer project

Data transfer projects may take many forms but there are some common steps that can help data exporters to streamline these often complex projects. These steps should ideally be taken by any organisation prior to any transfer taking place, however, some documents and practices (for example, having correct and compliant documentation in place, and having a good data governance practice) should be maintained on an ongoing basis.

4.1 Data mapping

As good practice, the ICO encourages organisations to map all relevant data flows in a timely manner. There is no specific requirement under the UK GDPR to carry out data mapping in a certain way. However, an effective approach to data mapping is to structure it in the ways listed below.

  • Obtain as much information as possible. This might be in the form of a questionnaire which can be sent out to different departments if you are dealing with a larger organisation. Some example questions may include:
    • What personal data do you hold?
    • Why do you hold this personal data?
    • Who do you hold information about?
    • Who do you share this information with (including both third parties and other group companies)?
    • Are you transferring personal data outside the UK (including to servers located outside the UK or via remote access from locations outside the UK)? If so, where?
    • Where are any third parties headquartered?
    • How long are you planning to hold this information for?
    • How is this information kept secure?

There may be automated or technology-led solutions for extracting and analysing this information.

  • Identify and meet directly with the stakeholders within the organisation. The data-mapping exercise should target senior subject matter experts as they should be best placed to identify the relevant data flows. This may differ depending on the organisation and should be assessed on a case-by-case basis.
  • Identify and review policies, procedures, contracts and agreements. Obtain as many of the contracts and/or policies listed below to identify or verify the relevant data flows and capture these appropriately:
    • privacy notices;
    • data retention policies;
    • data protection policies;
    • data security policies;
    • system-use procedures;
    • data processor contracts;
    • data sharing agreements;
    • data transfer agreements/SCCs;
    • TRAs; and
    • for large third-party suppliers, public-facing terms and conditions and other privacy-related documentation

Carrying out the data-mapping exercise will assist with:

  • identifying where the personal data originates and where it is going;
  • identifying any gaps in the implementation of appropriate safeguards for the data transfers, and/or any other legal requirements to ensure the lawfulness of such data transfers, such as TRAs; and
  • gathering the relevant information that is needed to feed into the organisation’s records of processing activities (ROPAs) – see section 4.3 below.

An organisation’s data mapping should ideally be a live document that reflects the organisation’s data flows in real time. However, this may not be practical for a lot of organisations, so a data mapping exercise should be performed regularly, but especially to capture any changes in processing operations that may include new or modified data transfers.

4.2 Have correct, compliant documentation in place

Start with the gaps that you have identified in the data-mapping phase, then group and prioritise these in a logical way according to risk. In order to assess risk, you may look for example at the type of data that is being transferred (special category data indicates a higher risk transfer), the volume of the data (a higher volume of data also indicates a higher level of risk), whether the transfer of data is ongoing or periodic (higher risk) or just a one-off transfer (lower risk), the territory to which the data is being transferred (for example, if the data is being transferred to an adequate jurisdiction then the risk is lower) and whether appropriate safeguards have been put in place (if the data is transferred to a non-adequate jurisdiction without proper safeguards in place then the risk is higher).

Based on that, the organisation will need to come up with a remediation plan to ensure that it has in place key documents such as SCCs and TRAs for all restricted transfers. This applies to both transfers to third parties such as suppliers and to intra-group data transfers.

4.3 Follow good data protection governance

It is crucial for organisations to have a robust data privacy and protection programme that includes appropriate measures relating to data transfers. Areas of particularly high risk are mitigated in the ways illustrated below.

  • Data protection governance and resourcing – a well-functioning data protection compliance operation should clearly delineate responsibility to senior staff members for initiating and overseeing private, related initiatives throughout the organisation on a proactive basis. This includes embedding appropriate data protection governance structures at all levels.
  • Access controls – access controls in centralised systems need to be set in a systematic and methodical way to restrict the personal data shared on a need-to-know basis and subject to appropriate geographical limitations. These controls and the rationale for how these are set up should be documented in appropriate policies and protocols.
  • Supplier due diligence – a robust system should be implemented for evaluating suppliers who process personal data on behalf of the organisation for data protection compliance prior to onboarding them. There is no process in place for this to be reviewed on an ongoing basis either.
  • Processor terms – controls need to be implemented within the supplier onboarding process to ensure that mandatory processor contract terms are in place with suppliers that process personal data on behalf of the organisation, and for ensuring that TRAs are in place for all restricted transfers of personal data.
  • ROPAs, data protection impact assessments (DPIAs) and TRAs – DPIAs are a method for organisations to analyse their high-risk processing, identify the areas of risk, and mitigate any exposure. The ICO stipulates that DPIAs must consider compliance risks, but also more extensive risks to the rights and freedoms of individuals. For more details on DPIAs see the ICO’s Data Protection Impact Assessments Guidance and the How-to guide: How to ensure compliance with the GDPR. ROPAs and DPIAs should include complete details of all international data transfers and should incorporate TRAs. Flags should also be raised when the ROPA needs to be updated and for high-risk restricted transfers requiring DPIAs (or pre-DPIAs).

Additional resources

European Data Protection Board – Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR 
Information Commissioner’s Office – IDTAs
Information Commissioner’s Office – International transfers

Related Lexology Pro content

How-to guides:

Understanding key data protection definitions
How to ensure compliance with the GDPR
How to comply with data processing principles under the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
How to deal with an ICO dawn raid

Checklists:

GDPR compliance self-assessment audit
Lawful processing of personal data under the GDPR
Assessing whether an organisation is a controller or processor under the GDPR
Processor due diligence (data protection and cyber security)
Obtaining and managing consent under the GDPR
What to include in your organisation’s privacy notice
Data subject access rights under the GDPR
When and how to appoint a data protection officer
Making an international transfer of personal data under the UK GDPR
Complying with cookie requirements under the PECR and the GDPR

Reliance on information posted:

While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents. 

Filed under

Topics

Laws