top of page
Search

ICO Updates Guidance on International Data Transfers

The Information Commissioner's Office has published updated guidance on international transfers of personal data under the UKGDPR, aiming to make cross-border transfer rules clearer, more practical, and easier to apply.

 

What Has Changed

Three-Step Test

The updated guidance puts a streamlined three-step test at the center of international transfer analysis:

➡️ Is there a transfer of personal data to another country?

➡️ Is the transfer “restricted” under UK GDPR?

➡️ If yes — what transfer mechanism and safeguards apply?

 

Obraz autorstwa DilokaStudio na Freepik


Complex & Multi-Layered Transfers

The ICO explicitly addresses:

➡️cloud service providers,

➡️sub-processors,

➡️onward transfers,

➡️group-wide data flows.

 

What UK Companies Need to Do in Practice

Based on the updated ICO guidance, UK organizations should focus on the following actions:

Map International Data Flows

You must clearly understand:

➡️where personal data is stored,

➡️where it is accessed from,

➡️which third parties and sub-processors are involved,

➡️and whether data is transferred outside the UK.

 

Restricted Transfers

Use the ICO’s three-step test to determine:

➡️which transfers are restricted,

➡️which rely on adequacy regulations,

➡️which require appropriate safeguards.

 

The Right Transfer Mechanism

For restricted transfers, ensure you are using:

➡️UK adequacy regulations,

➡️UK International Data Transfer Agreement,

➡️or the UK Addendum to EU SCCs.

 

Transfer Risk Assessments

The ICO reinforces the need for Transfer Risk Assessments.

You must assess:

➡️legal risks in the destination country,

➡️access by public authorities,

➡️effectiveness of technical and organizational measures.

 

Review Contracts

International transfer compliance is tightly linked to:

➡️ third party risk management ,

➡️procurement processes,

➡️contract lifecycle management.

 

Contracts must reflect:

➡️correct transfer mechanisms,

➡️security obligations,

➡️audit and cooperation clauses.

 

Governance & Security

International transfers should be integrated with:

➡️information security controls,

➡️data classification,

➡️incident response,

➡️vendor oversight.




 
 
 

Comments

Stay in touch

kontakt@itgrc.pl

BW ADVISORY sp. z o.o. 

ul. Boczańska 25
03-156 Warszawa
NIP: 525-281-83-52

Privacy policy

  • LinkedIn
  • Youtube
bottom of page