International transfers

This subtopic is intended for private sector commercial organisations in the UK and reflects the UK GDPR. It sets out the legal and practical challenges organisations face when transferring data outside the UK and suggests some risk management measures you may wish to adopt.

STOP PRESS: This Overview is being updated to reflect revised ICO guidance on international transfers. In particular, the transfer risk assessment (TRA) test has been changed from ‘sufficiently similar’ to ‘not materially lower’ in anticipation of an amendment to the UK GDPR. This means that when conducting a TRA, you must be satisfied the standard of protection for personal data in the relevant third country is ‘not materially lower’ than that provided under the UK’s data protection regime. For more guidance on the forthcoming amendment to the UK GDPR, see Practice Note: Data (Use and Access) Act 2025—compliance implications — International transfers.

The data protection regime on international transfers

All transfers of personal data are subject to the general requirements of Assimilated Regulation (EU) 2016/679, UK General Data Protection Regulation (UK GDPR), eg you must:

•
have a lawful ground for

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Practice Compliance News

OFSI issues £160,000 monetary penalty on Bank of Scotland for financial sanctions breaches

The Office of Financial Sanctions Implementation (OFSI) has issued a monetary penalty of £160,000 on Bank of Scotland Plc (Bank of Scotland) for breaches of regulations 11 (dealing with funds) and 12 (making funds available) of the Russia (Sanctions) (EU Exit) Regulations 2019, SI 2019/855. The penalty was imposed under section 146 of the Policing and Crime Act 2017 (PCA 2017) and relates to Bank of Scotland’s processing of 24 payments totalling £77,383.39 to and from a personal current account held by an individual designated under the Russia Regulations.

EDPB publishes revised FAQs and procedural rules on EU–US Data Privacy Framework

The European Data Protection Board (EDPB) has published updated guidance on the EU–US Data Privacy Framework (DPF), including revised frequently asked questions (FAQs) for European individuals and businesses, an updated template complaint form for DPF-related commercial complaints, and updated rules of procedure governing the informal panel of EU Data Protection Authorities (DPAs), replacing the versions adopted in 2024.

Practice Compliance weekly highlights—22 January 2026

This week's edition of Practice Compliance weekly highlights includes a High Court ruling on AML oversight failures at a City law firm and updates to the ICO's guidance on transfer risk assessments and international data transfers. We also feature insights on developments in UK whistleblowing protections and new guidance from the Legal Ombudsman on improving early complaint resolution.

How government AML supervision reform will affect law firms

Law360, London: On 6 November 2025, HM Treasury shared a consultation on anti-money laundering (AML) and counter-terrorist financing (CTF) supervision reform.

View Practice Compliance by content type :

News