This Practice Note is intended for in-house lawyers and privacy and compliance professionals in private sector commercial organisations in the UK. It provides guidance on how to complete a transfer risk assessment when transferring personal data out of the UK on the basis of standard contractual clauses (SCCs), the International Data Transfer Agreement (IDTA) or binding corporate rules (BCR).

When relying on one of these transfer mechanisms, you must assess data protection risks in the recipient country by completing some sort of impact or risk assessment. The Information Commissioner’s Office (ICO) calls this a transfer risk assessment (TRA) whereas EU guidance adopts the term transfer impact assessment (TIA). The EU and UK regulators also differ on the methodology for completing the assessment.

This Practice Note reflects the ICO’s approach for completing a transfer risk assessment under the United Kingdom General Data Protection Regulation (UK GDPR), Assimilated Regulation (EU) 2016/679. For the EU methodology, see Practice Note: How to complete a transfer impact assessment—international data transfer—EU methodology and Precedent: Transfer