How to manage international personal data transfers

Copyright © 2025 LexisNexis
Published by a LexisNexis Risk & Compliance expert
Practice notes

How to manage international personal data transfers

Copyright © 2025 LexisNexis

Published by a LexisNexis Risk & Compliance expert

Practice notes
imgtext

This Practice Note is intended for in-house lawyers and privacy and compliance professionals in private sector commercial organisations in the UK. It provides guidance on how to manage international transfers of personal data and explains the legal and practical challenges organisations face relation to international data transfers. It reflects ICO guidance on international transfers, including in relation to transfer risk assessments (TRAs).

This Practice Note is not intended for public sector organisations.

This Practice Note reflects the United Kingdom General data protection Regulation (UK GDPR) and Information Commissioner’s Office (ICO) guidance on International transfers, including ICO guidance on Transfer risk assessments. See also Practice Note: How to complete a transfer risk assessment—international data transfer—ICO methodology.

This Practice Note also signposts key EU guidance in relation to transfer impact assessments (TIAs), which is the EU equivalent of a transfer risk assessment. See also Practice Note: How to complete a transfer impact assessment—international data transfer—EU methodology and Precedents: Transfer impact assessment—personal data—EU methodology, which reflects the EU approach to TIAs and International data transfer—data

Powered by Lexis+®
Jurisdiction(s):
United Kingdom
Key definition:
Personal data definition
What does Personal data mean?

Personal data means data relating to a living individual who can be identified from such data, either alone or with other information in the data controller’s possession. It includes opinions about, and intentions in relation to the data subject.

Read more readmore

Popular documents

UK GDPR—the basics

UK GDPR—the basicsThis Practice Note explains, in simple terms, the key features of the UK General Data Protection Regulation (UK GDPR). See also Precedent: Data protection quick reference guide.This Practice Note is intended for non-privacy specialists and there are separate, more detailed,

Public statement on data breach

Public statement on data breachStatement by [insert name of organisation] concerning a significant [cyber-attack OR data protection breach] on [insert date].On [date], we were made aware of an incident threatening the security of personal data for which we are responsible. [We OR [insert name of

Data subject access request form

Data subject access request formPlease complete this form if you wish to request access to your personal data. You do not have to use this form, but it will help us to deal with your request as quickly and effectively as possible if you do.You can also use this form if you are requesting access to

Refusing a data subject request—what is ‘manifestly unfounded or excessive’?

Refusing a data subject request—what is ‘manifestly unfounded or excessive’?The General Data Protection Regulation (GDPR) provides for enhanced rights for data subjects, including providing rights of access, rectification, erasure and restriction of processing, data portability, a right to object to