UK’s ICO Unveils Streamlined Guidance: Complying with International Data Transfers under UK GDPR

On 15th January 2026, the United Kingdom Information Commissioner’s Office (ICO) published an updated guidance on international transfers of personal data [1](guidance) under the UK GDPR. The guidance combines current materials reflecting on stakeholder feedback, as well as the latest legislative developments, including various aspects of the Data (Use and Access) Act 2025. This guidance seeks to simplify the practical measures which are involved in the process of identifying and managing cross-border data transfers which includes clarifying roles and responsibilities, safeguards and assessment requirements. However, the core expectation remains clear: organisations must handle international transfers of personal data in a structured, risk-based way, backed by well-documented decision-making.

The ICO’s Three-Step Test

A central feature of the update is the ICO’s clear “three-step test” for determining whether an organisation is making a restricted transfer. Organisations should evaluate:

1. Does the UK GDPR apply to the processing of the personal data being transferred?

2. Is the organisation that is initiating the transfer of personal data to an organisation located outside the UK?

3. Is the recipient organisation a separate legal entity?

If the answer to all three questions is “Yes”, then the transfer qualifies as a restricted transfer, and the organisation must ensure that the transfer is covered by UK adequacy regulations, appropriate safeguards or derogations. Where an organisation relies on the “appropriate safeguards” under Article 46 of the UKGDPR, it must complete and document a Transfer Risk Assessment (TRA) or the data protection test as it is referred to in the legislation.

For compliance teams, this three-step test provides a structured screening mechanism that can be embedded into vendor onboarding and data mapping processes.

Why are international transfer rules essential?

International transfer rules are a core compliance obligation for organisations engaging in cross-border operations or global partnerships. Without implementing appropriate safeguards, personal data may lose the protections which are otherwise guaranteed under the UK GDPR when the data is transferred outside the United Kingdom, which potentially exposes the individuals to a lower standard of protection. These rules therefore apply largely to all entities and organisations that handle personal data under the UK GDPR, including sole traders.

For organisations, this means that cross-border data flows are a risk and regulatory exposure area requiring formal oversight rather than contractual handling. Under UK GDPR’s accountability perspective in Article 5(2), organisations must be able to demonstrate that any restricted transfer is lawful and adequately safeguarded.

Compliance Oversight

The organisations that initiate a restricted transfer bears the responsibility for ensuring compliance, irrespective of its location or the role in the processing chain.

Compliance controls include the following:

• Verifying if UK adequacy regulations are applicable where the destination benefits from UK-recognised equivalent protection.

• Where reliance is placed on Article 46 safeguards, complete and document a TRA to determine, on a reasonable and proportionate basis that protections aren’t materially lower post the transfer.

• Exceptions or derogations under Article 49 of the UK GDPR (e.g., explicit consent, contract performance, legal claims) may only be relied upon if it’s necessary and proportionate, and not as a default transfer mechanism.

Key compliance takeaways and recommended actions

To align with the updated guidance, organisations could prioritise the following:

• Map all international data flows and embed the ICO’s three-step restricted transfer test into procurement and vendor onboarding workflows.

• Verify the necessity and lawful basis for each transfer.

• Implement and choose the suitable mechanism (adequacy, safeguards with TRA, or derogation as appropriate).

• Revise and review the existing contracts (e.g., incorporating the International Data Transfer Agreements (IDTA) or UK Addendum where required).

• Reassess existing TRAs against the “not materially lower” protection standard introduced under the Data (Use and Access) Act 2025.

• Implement a comprehensive oversight mechanism for high-risk jurisdictions.

• Ensure Board or senior manager reporting appropriately captures cross-border data risks

Use the UK ICO’s additional resources, such as the brief guide[2], FAQs[3], and glossary[4].

It is critical for compliance teams to embed these steps within procurement workflows, IT governance processes, and vendor risk management frameworks.

Conclusion: Streamlining compliance and strengthening accountability

The UK ICO’s guidance, published and updated on 15 January 2026 strengthens and streamlines the international transfers of personal data framework under the UK GDPR, aiming to strike an effective balance between robust data protection and business enablement. By creating a structured assessment around a clear three-step test and providing clarity on the safeguards, the ICO has reduced several ambiguities (e.g., processor vs. controller initiation, updated safeguard language to name a few) for compliance teams while strengthening accountability.

Organisations should be reviewing their existing international data flows against the three-step test, updating contracts and templates with the IDTA/UK Addendum where required and performing or refreshing TRAs, especially for high-risk destinations.

For compliance teams, this means that international transfers should not be treated as a contractual afterthought, but as a governed, documented and periodically reviewed compliance control.

Komrisk – Automated Regulatory Compliance Management Software

In the light of the updated ICO Guidance, it is now critical for organisations   handling international transfer of personal data to adhere to the appropriate safeguards and conditions. Komrisk provides an effective compliance management software including a compliance library designed to centralise oversight of regulatory compliance.

Organisations must have internal processes in place to monitor and manage the transfer of personal data, ensuring that every cross-border data exchange is in line with the UK GDPR’s strict mandates. Clients using Komrisk can create internal tasks to ensure that the processes are adhered to. Komrisk further supports organisations in staying compliant by :

• Tracking data transfer requirements ( safeguards, derogations).

• Documenting and scheduling TRA reviews.

• Maintaining audit trails for accountability purposes.

• Providing automated reminders and escalation workflows; and

• Facilitating oversight reporting for senior management.

By embedding structured oversight with solutions like Komrisk, organisations can reduce compliance risk while managing their global data transfers effectively.

For full details of the Guidance, refer to the ICO’s international transfers hub: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/

The brief guide is available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/a-brief-guide-to-international-transfers/

[1] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/01/updated-guidance-on-international-transfers-published/

[2] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/a-brief-guide-to-international-transfers/

[3] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/quick-reference-faqs/

[4] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/glossary/