What are the rules on appropriate safeguards?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
In detail
- When can we rely on appropriate safeguards to make a restricted transfer?
- What are appropriate safeguards?
- What is a transfer risk assessment?
When can we rely on appropriate safeguards to make a restricted transfer?
Transfers of personal information to separate organisations located outside the UK are known as ‘restricted transfers’. You must not make restricted transfers unless certain conditions are met.
You can read more about what a restricted transfer is in our guide to international transfers.
When you make a restricted transfer, you must ensure that the transfer is covered by:
- UK adequacy regulations;
- appropriate safeguards; or
- an exception (called a “derogation” in the legislation).
If there are no UK adequacy regulations covering your restricted transfer and none of the exceptions apply, you must ensure that you use appropriate safeguards for the transfer.
What are appropriate safeguards?
Article 46 of the UK GDPR sets out a list of safeguards. Each safeguard is designed to ensure that both you, as the sender, and the receiver are legally required to protect people’s personal information.
The safeguards are:
- a legally binding and enforceable instrument between a public body and another public body, an international organisation, or an organisation carrying out public functions;
- binding corporate rules (BCRs);
- standard data protection clauses – the ICO’s International data transfer agreement (IDTA) and the International data transfer addendum (the Addendum);
- a code of conduct approved by the ICO;
- a certification under a certification scheme approved by the ICO;
- contractual clauses authorised by the ICO; and
- administrative arrangements, authorised by the ICO, between a public body and another public body, an international organisation, or an organisation carrying out public functions.
If you plan to use one of these safeguards, you must first complete a transfer risk assessment (TRA). Completing a TRA helps you ensure that the standard of protection for people’s information is “not materially lower” after you transfer it.
Your chosen safeguard becomes “appropriate safeguards” when:
- you’ve completed a TRA;
- you’ve taken any extra technical and organisational steps and put in place any extra protections identified in your TRA; and
- the safeguard, including any extra contractual clauses identified in your TRA, has been executed so that it’s legally binding on the relevant organisations.
What is a transfer risk assessment (TRA)?
With the introduction of the Data (Use and Access) Act (DUAA), a TRA is now referred to in the legislation as a “data protection test”.
To meet the data protection test, you must decide, acting reasonably and proportionately, that the standard of protection for people’s information is not materially lower than in the UK after you transfer that information.
If you carried out a TRA following our guidance before the DUAA came into effect and you concluded that the level of protection was sufficient, you’ve met the data protection test. The principle remains the same: you must ensure that the standard of protection for people is not undermined after you transfer their personal information.
We still use the term ‘transfer risk assessment’ and TRA in our guidance, but we’ve updated our TRA guidance to match the new wording of the data protection test.
You must not make a restricted transfer relying on a safeguard if:
- you complete a TRA and decide that your chosen safeguard doesn’t provide enough protection for any of the information you want to transfer; and
- you can’t carry out extra steps or put in place extra protections.
In that situation, you could:
- rely on an exception; or
- decide not to transfer the information.
You also must not transfer information relying on a safeguard if:
- you complete a TRA and decide that for some but not all of the information you want to transfer, your chosen safeguard doesn’t provide enough protection for people’s information; and
- you can’t carry out extra steps or put in place extra protections.
In that situation, you could:
- for the information that is sufficiently protected, make the restricted transfer relying on your chosen safeguard (with any extra steps and protections); and
- for the information that is not sufficiently protected, rely on an exception or decide not to transfer that information.
Further reading – ICO guidance