To determine whether compliance with transfer restrictions is necessary, businesses must first assess whether they are engaging in a restricted transfer. Restricted transfers generally involve the transfer of personal data to separate controllers or processors (i.e., separate legal entities) outside the UK, although the determination will depend on specific circumstances of the transfer.

The three-step test

The ICO’s updated guidance introduces a three-step test for determining whether a restricted transfer is taking place. The three steps ask:

1. Does the UK GDPR apply to the personal data that will be transferred?
2. Is the transfer to a recipient outside the UK?
3. Is the transfer to a separate controller or processor (i.e., a separate legal entity) from the exporter?

The guidance states that if the answer is “yes” to all three questions, the transfer is considered a restricted transfer, and the UK GDPR international transfer rules apply.

Data transfer roles

The updates to the ICO’s guidance also provide greater clarity regarding how the ICO views the roles and responsibilities organizations have when engaging in restricted international transfers.

As a reminder, entities are classified as “controllers” or “processors” based on their respective roles in determining how and why personal data is processed. Controllers determine the purposes and means of processing personal data, while processors (and their subprocessors) act on a controller’s behalf.

The updated guidance clarifies that processors are responsible for restricted data transfers that the processor itself initiates, even when a controller has authorized the transfer. This would even include onward transfers that processors initiate to their subprocessors.

Additionally, the guidance clarifies when an organization is not responsible for an international transfer. For example, a processor does not need to comply with the data transfer rules when sending or returning personal data to the originating controller. The ICO does not consider this a restricted transfer because it is a transfer back to the same legal entity.

Transfer risk assessments

The guidance also clarifies responsibilities for conducting a transfer risk assessment (TRA), which evaluates the risks and safeguards involved with transferring personal data outside the UK. Since the ICO issued its post-Schrems II international transfer guidance, TRAs have been required when personal data is transferred from the UK to countries not subject to a UK adequacy decision.

Historically, controllers have been generally responsible for completing TRAs. However, the guidance states that processors are also responsible for completing TRAs for the restricted transfers they initiate, including transfers to subprocessors (even when the controller has authorized use of the subprocessor).

In addition to clarifying responsibilities, the updated guidance provides more information on how to complete a TRA. The ICO released a new interactive tool containing questions and guidance for completing a TRA. The TRA tool prompts organizations to consider:

• The specific circumstances of the restricted transfer;
• The level of risk to people in the personal data you are transferring;
• A reasonable and proportionate level of investigation, given the overall risk level in the personal data and the nature of your organization;
• Whether the transfer significantly increases the risk of a human rights breach in the destination country for the people who are the subject of the transferred data;
• Whether both you and the data subjects will be able to enforce the safeguard in the UK against the data recipient;
• If enforcement action outside the UK may be needed, whether you and the data subjects will be able to enforce the safeguard in the destination country or elsewhere; and
• Whether any of the limited exceptions to the restricted transfer regime apply.

The tool also provides a list of personal data categories and assigns initial risk scores reflecting the risk of harm to individuals. The ICO encourages entities to use the initial risk scores as a starting point to determine the level of risk that must be accounted for in the TRA.

While use of the new tool is not required, it seeks to provide entities with a standard way to conduct TRAs before engaging in restricted transfers.

Adequacy guidance

Finally, the ICO guidance addresses adequacy decisions, clarifying that adequacy regulations permit both full and partial adequacy decisions. Full decisions cover all restricted transfers to a certain country, while partial decisions cover only certain transfers, such as transfers to specific types or organizations, transfers involving specific types of personal data, or transfers where specific conditions apply.

The guidance also provides more information on the UK Extension to the EU-US Data Privacy Framework (DPF)  requirements. It clarifies that only US businesses regulated by the US Federal Trade Commission (FTC) or US Department of Transportation (DOT) are eligible to join the DPF.

When relying on the UK Extension, the ICO guidance states that organizations must:

• Only make restricted transfers to US businesses that are active on the DPF list;
• Only transfer the types of personal data that the US business has registered to receive; and
• Ensure compliance with additional obligations when transferring specific types of data, such as HR data, special category data, and criminal offense data.

Key takeaways and action items

Organizations that engage in restricted transfers should:

• Review the updated guidance to ensure current policies and procedures are aligned with the ICO’s updated expectations;
• Consider updating transfer risk assessments and related policies and procedures to align with the questions and risk analyses set out in the new TRA tool;
• Evaluate current reliance on adequacy decisions, including whether ongoing reliance remains appropriate in light of the updated guidance; and
• Use the guidance as an opportunity to operationalize and strengthen international data transfer governance and compliance programs.

Our cross-practice team continues to closely monitor global privacy and cybersecurity developments. To learn more, reach out to one of the authors or your regular McDermott Will & Schulte lawyer to discuss the potential legal implications for your business.