The UK’s General Data Protection Regulation (GDPR) regime imposes restrictions on the transfer of personal data outside the UK. In January 2026, the UK’s data protection regulator, the ICO, published long-awaited updates to its guidance on those rules.
Since the UK’s international transfer regime potentially impacts all businesses transferring personal data between the UK and other countries, the ICO’s updated guidance is crucial reading for all organisations processing personal data subject to the UK GDPR.
Our first blog in this two-part series summarised when the ICO considers the transfer rules to apply. This second blog explores how to ensure restricted transfers are carried out lawfully, and some key areas of divergence from the equivalent approach taken in the EU.
Businesses should carefully review how the ICO’s updated guidance applies to their operations, in order to minimise risks and, where appropriate, maximise any simplification benefits the new guidance may offer.
Related UK (and EU) rules restrict personal data transfers to international organisations governed by public international law or established between countries. Those are unlikely to be relevant in a commercial context, and are beyond the scope of this blog series.
The transfer mechanisms
Every transfer that is a ‘restricted transfer’ (as explained in our first blog) must be covered by one of the following transfer mechanisms:
- UK adequacy regulations;
- appropriate safeguards; or
- an exception set out in the legislation.
UK adequacy regulations
Organisations can make a restricted transfer if the receiver is located in a country, or sector or territory in a country, covered by UK adequacy regulations.
The UK has issued adequacy regulations in respect of various areas of the world (including the EU), some of which are ‘full’ (covering all personal data transfers), and some of which are ‘partial’ (meaning they only apply to certain transfers). It is therefore important to check the scope of the relevant regulation carefully.
The ICO’s guidance reflects that, where available, adequacy regulations are the most efficient mechanism to rely on, because information can flow freely from the UK without the need to put in place additional safeguards.
However, the ICO emphasises that in all cases in which adequacy regulations are relied on, it expects (as good practice) the initiating organisation to undertake reasonable and proportionate checks that the recipient will comply with its data protection obligations under local data protection laws.
While there is significant overlap between the countries that are deemed to be ‘adequate’ under the UK GDPR and EU GDPR, there is beginning to be some divergence – for example, Brazil is now the subject of a European Commission adequacy decision, but is not covered by UK adequacy regulations.
Appropriate safeguards
Where an adequacy regulation does not apply, businesses will usually seek to rely on one of the ‘appropriate safeguards’ that are recognised by the UK GDPR:
- a legally binding and enforceable instrument between a public body and another public body, an international organisation, or an organisation carrying out public functions;
- binding corporate rules (BCRs);
- standard data protection clauses – the ICO’s international data transfer agreement (IDTA) and the international data transfer addendum to the EU standard contractual clauses (the Addendum);
- a code of conduct approved by the ICO;
- a certification under a certification scheme approved by the ICO;
- contractual clauses authorised by the ICO; or
- administrative arrangements, authorised by the ICO, between a public body and another public body, an international organisation, or an organisation carrying out public functions.
The ICO has updated its guidance on each, especially on BCRs, the IDTA and Addendum, which are the most commonly used mechanisms.
An organisation planning to use any of these safeguards must first complete a transfer risk assessment (TRA) to demonstrate the chosen safeguard provides enough protection as required by UK law.
The updated guidance explains in detail how to conduct a TRA under new rules that took effect from 5 February 2026. UK law relating to TRAs now diverges from the approach to conducting an equivalent transfer impact assessment (TIA) followed by EU data protection authorities, with the UK seeking to make its regime more business friendly. You can find further background on those UK reforms and the EU/UK divergence in this previous blog post exploring those reforms, including on the new threshold for assessing international transfers under a TRA. The guidance confirms that TRAs conducted before the new laws came into force in line with the previous laws can continue to be relied on.
Exceptions
Even if there is no adequacy regulation or appropriate safeguard, restricted transfers may still be lawful if one of a number of narrow exceptions apply.
Examples of those include (among several others) where the organisation has obtained explicit consent for the transfer from the person the information is about, where the transfer is necessary for performing a contract with the person the information is about or where the transfer is necessary to establish, make or defend a legal claim.
Exceptions are rarely relied upon in practice given their narrow scopes and various associated practical challenges. The updated guidance outlines the various detailed requirements for relying on exceptions (including, in most cases, showing that reliance on the exception is necessary and proportionate). In this respect, the UK and EU approaches remain similar, although there have been voices in the EU advocating to widen the narrow understanding regarding these exceptions that can also be found in the EU’s GDPR.
Further requirements
The updated guidance addresses a number of related issues such as:
- confirming (in FAQs) that an organisation is not making a restricted transfer if it sends an individual outside the UK their own personal data (noting that the UK GDPR doesn’t apply in this situation because the person receiving the data isn’t a controller or processor); and
- outlining some of the further general UK GDPR duties that apply where data is sent overseas (regardless of whether that is a restricted transfer), including:
- duties on controllers to comply with the general data protection principles, eg duties to have a lawful basis and to provide mandatory information to data subjects (including about restricted transfers) and to undertake data protection impact assessments where relevant;
- duties on processors to comply with their obligations under data processing agreements; and
- duties on both controllers and processors to comply with relevant security and record-keeping duties.
Next steps
The guidance remains open for feedback and may evolve further.
Please reach out to one of the authors of this blog post if you would like help navigating these complexities.