Completing a transfer risk assessment
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Latest updates – last updated 15 January 2026
15 January 2026 – We’ve broken down the content of our previous Guide to international transfers into specific detailed guides, including this one on Completing a transfer risk assessment. We’ve updated this guidance to reflect new language brought in by the Data (Use and Access) Act. A transfer risk assessment (TRA) is now referred to in UK legislation as a “data protection test”.
About this guidance
This guidance discusses completing a transfer risk assessment (TRA) for international transfers in detail. It's aimed at Data Protection Officers (DPOs) and those with specific data protection responsibilities.
It provides guidance on what a TRA is and when it is needed. It also sets out what organisations need to do to comply with the legislation.
You should read this guidance in conjunction with our other guidance on international transfers. For more information on data protection compliance, see our Guide to data protection.
If you’re processing information for law enforcement purposes under part 3 of the Data Protection Act 2018 (DPA), this detailed guidance may help you complete a TRA in your particular circumstances.
However, we didn’t write this guidance for competent authorities operating under part 3 of the DPA. For further advice, please read our separate guidance on international transfers in our Guide to law enforcement processing.
Contents
- What’s a transfer risk assessment (TRA)?
- Completing a TRA
- The ICO’s TRA tool
- Completing a TRA using the UK government’s analysis (US)