International Data Transfer Risk Assessments

On May 3, 2022, the Icelandic data protection Supervisory Authority (SA) issued a fine of 5 million Kronur (about 35,000 Pounds) against the municipality of Reykjavík1. The culprit? One of their elementary schools had employed an American educational cloud-based service. The school failed to implement appropriate safeguards, which were necessary to keep data (especially sensitive as it concerned children) secure as the processor was based in a country with inadequate data protection regulations.

Although presumably a significant fine for a municipality, this amount pales in comparison to the maximum penalties set by the UK GDPR for such violations – £17.5 million or 4 percent of annual global turnover, whichever is greater.

When do you need a Transfer Risk Assessment?

A transfer risk assessment is one of the measures that companies can take to avoid such fines. It works as a component of the appropriate safeguards provided for in the UK GDPR when transferring data to any country other than the ones that have been granted adequacy status by the UK’s Information Commissioner’s Office, a list which mostly comprises EEA nations.

Transfers of personal data to countries not on that list (such as the United States) are referred to as restricted transfers – prohibited unless an exception can be applied. To transfer personal data to those countries compliantly, the UK GDPR permits companies to use a number of “appropriate safeguards”. The goal of these safeguards is to ensure that the protections afforded to data subjects by UK laws remain in place even when the data is transferred outside the country. One of those safeguards is the International Data Transfer Agreement (referred to as the Standard Contractual Clauses (SCCs) in the EU), which is a template agreement that binds the importer and exporter to maintain certain standards in the course of the processing contract.

In the past, the International Data Transfer Agreement (in the form of the Standard Contractual Clauses template that preceded it) was sufficient, by itself, to show that the data would be secure, thus complying with the GDPR’s requirements. However, in July 2020, the Court of Justice of the European Union (CJEU) declared in the popular Schrems II 2 case that in light of the ability of foreign nations to access personal data despite the controls in the SCCs, using the template agreements would no longer be an automatic exception to the prohibition against transferring personal data outside the EEA. Instead, they would now have to be preceded by a Transfer Risk Assessment that would determine if the template agreement would provide enough security.

Key Considerations When Conducting Transfer Risk Assessments

The most important point for companies intending to export personal data to consider, is that a TRA must be specific yet comprehensive. It must be focused on the particular transfer that is intended to be made, considering the types of personal data and the unique risks that exposure may pose to the data subjects. On the other hand, it must be comprehensive in its evaluation of the country to which the transfer is to be made. The assessment must take the laws and regulations on data protection into consideration, but also extend to the attitudes of the judicial and administrative authorities with regard to upholding privacy rights.

To make sure your company is complying with UK GDPR, consider performing a Data protection Audit with us and find out how to remediate any gaps. Get in touch to see how we could help your organisation.

References:

[1] https://edpb.europa.eu/news/national-news/2022/icelandic-sa-municipality-reykjavik-fined-5000000-isk-use-seesaw_en

[2] https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf

 

 

 

related posts

Jack Penaligon

How to Respond to a Data Breach: A Practical Guide

This blog provides an overview of the practical steps organisations can take to reduce the impact of a data breach once it has been identified. It focuses on the actions that should be taken during the early stages of an incident to contain the breach, protect affected individuals, and meet regulatory requirements.

The article discusses a range of mitigation measures, including contacting unintended recipients of personal data, securing the deletion or recovery of exposed information, isolating compromised systems, and maintaining clear records of actions taken. It also explores the challenges posed by both digital and physical data breaches, highlighting the importance of balancing operational needs with data protection obligations.

Finally, the blog emphasises the value of preparation, explaining how established procedures, communication templates, and predefined response plans can help organisations respond more effectively and demonstrate accountability during a regulatory investigation.

Read More »
Noah de Wild

How to Assess a Data Breach: A Practical Guide

This blog explains how to assess a data breach by identifying its cause, determining what information was exposed, and evaluating the potential impact on affected individuals and the organisation. It outlines common causes of breaches, the importance of understanding the type and scale of compromised data, and how assessing the timeline of an incident can help businesses respond effectively, meet legal obligations, and reduce long-term risks.

Read More »
Noah de Wild

Don’t Panic: A Pragmatic Guide to the June 2026 Enforcement of the Data (Use and Access) Act Changes

With the June 19, 2026 enforcement of the Data (Use and Access) Act approaching, ensuring your business is compliant doesn’t have to be complicated or expensive. In our latest guide, we break down exactly what the new data protection complaint rules mean for you. Cut through the noise and discover our simple, free six-step checklist to update your protocols, designate handlers, and keep your business confidently compliant.

Read More »

Get a Free Consultation