International data transfers: what most companies still get wrong

Most organisations today are aware that transferring personal data internationally carries regulatory risk. Under both the EU and UK data protection regimes, several steps are required to ensure that personal data remains secure when exported. In practice, this rests on three pillars.

1. Operational security: Technical and organisational measures must be in place to protect the data throughout the supply chain, such as encryption, access controls and monitoring.
2. Contractual security: Appropriate contractual safeguards must be used. For certain jurisdictions this requires the execution of recognised contract model clauses.
3. Legal and regulatory security: In some circumstances organisations must complete a Transfer Risk Assessment to examine how the legal framework of the destination country affects protection against third-party access.

If you are a data controller, you are responsible for all three across your supply chain. In this article we focus on the third pillar: the Transfer Risk Assessment.

The need for Transfer Risk Assessments

Many organisations still assume that once standard contractual clauses are in place, their international data transfers are “done” from a compliance perspective. That assumption has been unsafe since the Schrems II judgment and remains one of the most common sources of hidden regulatory risk in cross-border data processing.

Where personal data is transferred from the UK to a country that is neither within the EEA nor covered by a UK adequacy decision, organisations are now expected to carry out a Transfer Risk Assessment (“TRA”). The purpose is to determine whether individuals’ data will in practice receive an essentially equivalent level of protection to that guaranteed under UK GDPR.

What is a Transfer Risk Assessment?

A Transfer Risk Assessment is a structured legal and factual analysis of a specific international data transfer. It explores a simple question, which can be hard to answer: taking into account the law and practice of the destination country and the safeguards in place, will individuals’ personal data really be protected to a standard comparable to UK GDPR?

The TRA requirement stems from the Schrems II decision, which invalidated the EU–US Privacy Shield and held that standard contractual clauses cannot be used mechanically. Instead, exporters must assess whether the law of the destination country undermines the protections promised in the clauses and whether supplementary measures are needed.

In the UK, the Information Commissioner’s Office has adopted this approach and expects controllers and processors to document their reasoning in a TRA where appropriate. This is not a box-ticking exercise. It forms part of the accountability obligation under UK GDPR and is increasingly requested by regulators, enterprise customers and procurement teams.

When do you need a TRA?

You do not need a TRA for every international transfer. A TRA is required when personal data is transferred from the UK to a country that does not benefit from a UK adequacy decision and where the organisation relies on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses. The UK Addendum serves as an alternative for companies that already use the new EU Standard Contractual Clauses for their EU transfers, allowing them to extend those same clauses to UK transfers without having to adopt the standalone UK International Data Transfer Agreement.

Where the destination country does benefit from a UK adequacy decision, such as the EEA, Japan or South Korea, a TRA is not required because parliament has already determined that the country provides an adequate level of protection.

What does a compliant TRA need to cover?

A compliant TRA is more than a narrative statement that “the risk is low”. Regulators expect to see a structured analysis covering at least the following elements:

A clear description of the transfer

This includes who is sending the data, who is receiving it, the purposes of the processing, the categories of personal data involved, whether special category data is included and whether onward transfers are envisaged.

Identification of the legal transfer mechanism relied upon

For UK transfers this means specifying whether the UK International Data Transfer Agreement is in place or whether the EU Standard Contractual Clauses are being used together with the UK Addendum.

An assessment of the law and practice of the destination country

This is the heart of the Schrems II analysis. The organisation must consider whether local laws allow public authorities to access personal data in ways that are incompatible with UK GDPR, whether those powers are proportionate and whether individuals have access to effective legal remedies.

The UK approach

The UK’s approach to this risk assessment has recently diverged from the EU’s. Under the Data Use and Access Act 2025, controllers must determine whether the protections available in the destination country are “not materially lower” than those under UK law. This formulation is widely viewed as a lower threshold than the EU’s “essentially equivalent” standard arising from Schrems II. As a result, UK organisations may reach permissibility conclusions in TRAs that EU organisations could not, creating a growing methodological divide between the two regimes.

An evaluation of the technical and organisational measures in place

This includes encryption in transit and at rest, access controls, segregation of customer environments, logging and monitoring and, crucially, who controls the encryption keys. Strong encryption where keys are held exclusively in the UK or EEA can materially reduce risk.

Consideration of supplementary measures

Contractual commitments to notify and challenge government access requests, internal law-enforcement request-handling policies and strict retention limits all play a role, but they must be mapped to specific legal risks rather than listed as generic controls.

A reasoned conclusion on residual risk and accountability

The TRA should explicitly state whether any remaining risk is acceptable in context and why, taking into account the necessity and proportionality of the transfer for business purposes.

The special case of transfers to the United States

Transfers to the US deserve particular attention. Since October 2023 the UK has adopted a partial adequacy decision for US organisations certified under the UK Extension to the EU–US Data Privacy Framework, often referred to as the UK–US Data Bridge. Where a US recipient is properly certified under the UK Extension, transfers can rely on Article 45 UK GDPR and no TRA is required.

However, there are three common traps:

• Certification under the EU–US Data Privacy Framework is not the same as certification under the UK Extension. Many organisations are certified for the EU regime but not for the UK one. From a UK GDPR perspective, that is not sufficient.
• Certification is entity-specific. It must cover the actual contracting party and the relevant processing activities. It is not unusual for a corporate group to have one certified affiliate and another uncertified one.
• Certification can lapse or be withdrawn. A robust compliance programme needs to monitor this and have a fallback mechanism in place.

If the US recipient is not certified under the UK Extension, the transfer must rely on the UK IDTA or the UK Addendum and a Schrems II-style TRA is required. In that scenario, organisations must grapple with US surveillance laws such as FISA 702 and Executive Order 12333 and assess whether their safeguards meaningfully reduce the resulting risks.

The commercial reality

For most businesses, international data transfers are unavoidable. Cloud hosting, payment processing, fraud detection, customer support and analytics routinely involve processors and sub-processors outside the UK.

The regulatory challenge is not to eliminate these transfers, but to document and justify them properly. The days when organisations could simply “drop in the clauses and forget about it” are over. In the post-Schrems II world, a Transfer Risk Assessment is now a core part of doing cross-border data business properly.

A well-structured TRA reduces regulatory risk by providing a defensible record if things go wrong. It also reassures enterprise customers, speeds up procurement processes and future-proofs compliance programmes against legal and regulatory change.

How we can help

We can help you make your international data transfers as simple and robust as possible, including by providing practical templates for data processing agreements, international transfer clauses, impact assessments and Transfer Risk Assessments.

Contact [email protected] or [email protected] to discuss your requirements.