International transfers

This subtopic is intended for private sector commercial organisations in the UK and reflects the UK GDPR. It sets out the legal and practical challenges organisations face when transferring data outside the UK and suggests some risk management measures you may wish to adopt.

The data protection regime on international transfers

All transfers of personal data are subject to the general requirements of Assimilated Regulation (EU) 2016/679, UK General Data Protection Regulation (UK GDPR), eg you must:

•
have a lawful ground for processing that personal data—see Practice Note: How to process personal data lawfully
•
provide certain information to data subjects—see Practice Note: Privacy notices—information requirements, and
•
(where the transfer poses a high risk) complete a data protection impact assessment—see Practice Note: How to complete a data protection impact assessment—DPIA

Where you transfer the personal data internationally (outside the UK), you must also satisfy and comply with requirements in Chapter V of the UK GDPR (Transfers of personal data to third countries or international organisations).

To comply with these requirements, you should consider:

•
is the transfer caught by the data protection

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Practice Compliance News

Jonathan Fisher KC updates on fraud offences and disclosure reform progress

Chair of the Home Office Independent Review of Disclosure and Fraud Offences, Jonathan Fisher KC has published an update outlining the progress of the review's second phase. The update identifies three focus areas: whistleblowing mechanisms for fraud detection, sentencing reform and technological/legislative changes. Fisher reports consulting over 120 stakeholders across the justice system and plans to submit final recommendations to the Home Secretary by end-2025. The review examines the Fraud Act 2006's effectiveness for internet fraud cases, which now constitute 43% of all recorded crime in England and Wales.

Practice Compliance weekly highlights—3 July 2025

This week's edition of Practice Compliance weekly highlights includes: OFSI’s new confidential reporting guidance, a Red Alert on Russian oil sanctions evasion, US sanctions targeting cybercrime infrastructure, analysis of the conclusions of the cross-government review of UK sanctions implementation and enforcement and news of a new Practice Note on the DUAA 2025 and its implications for data protection compliance.

AI risks leaving UK businesses exposed to insurance gaps

Law360, London: Businesses that replace workers with artificial intelligence (AI) tools could face difficulties when they make claims under standard negligence insurance policies after consumers lose out, lawyers say.

OFSI updates UK Financial Sanctions FAQs

The Office of Financial Sanctions Implementation (OFSI) has updated its UK Financial Sanctions FAQs, adding FAQ 149 on ‘What constitutes an economic resource?’, FAQs 150–151 relating to Crown Dependencies and Overseas Territories and FAQ 152 on ‘When should securities held at designated local Russian registrars be reported to OFSI?’. Additionally, FAQs 123–124 have been moved to the withdrawn FAQs document.

View Practice Compliance by content type :

News