The Information Commissioner’s Office (ICO) has updated its guidance on international transfers of personal information.

The guidance is aimed at Data Protection Officers and others within organisations who have data protection responsibilities, and sets out in detail how to comply with the rules on transferring personal information to controllers or processors located outside the UK.

The guidance has not only restructured into separate sections, each addressing a specific aspect of the rules on international transfers, but also introduces a new ‘three step test’ that organisations should follow when assessing whether they are making a so-called ‘restricted transfer’ that falls within the scope of the UK GDPR transfer rules:

1. Does the UK GDPR apply to the processing of the personal information that the organisation is transferring?
2. Is the organisation initiating a transfer of personal information to an organisation which is located outside the UK?
3. Is the organisation to which personal information is being transferred a separate legal entity?

Each of these steps is explored in detail, supported by helpful case studies.

The guidance then addresses how organisations should comply with the transfer rules where they apply, including discussion of the UK adequacy regulations, appropriate safeguards, and available derogations, again illustrated through hypothetical scenarios. It also sets out practical steps that organisations can take to reduce risk, particularly where there is a possibility of onward transfers. These include reducing or pseudonymising the personal information being transferred, reviewing recipients’ contractual arrangements or risk assessments relating to onward transfers, and, where appropriate, prohibiting onward transfers altogether.

To read the guidance in full, click here.