The ICO’s 2026 updated international transfer guidance: Decoding the new UK regime

On 15 January  2026, the publication of the ICO’s updated international transfer guidance (“the Guidance”) marks a further incremental step away from the post-Schrems II era of EU international transfer rules. The update clarifies and implements the Chapter V UK GDPR framework, with a focus on streamlined transfer risk assessments and clearer scoping of restricted transfers. It provides a structural and practical refresh of its international transfers materials including  shorter, task-based guidance, a new brief guide, quick-reference FAQs and a glossary. The Guidance introduces a clear “three-step test” to help organisations identify when they are making a restricted transfer under UK GDPR Chapter V.

Substantively, the Guidance is also updated to reflect the new concepts introduced by the Data (Use and Access) Act 2025 (DUA Act), for assessing data protection risks on international transfers.  In particular, the ICO aligns its terminology with  the statutory concept of a “data protection test” , while continuing to  use the established term “transfer risk assessment (TRA) to describe the practical risk assessment process. The Guidance does not replace the TRA as a compliance requirement, but explains how the TRA now maps to the statutory data protection test under the DUA Act. This article analyses the updated  regime, focusing on the scope and operation of the ICO’s three-step test for identifying restricted transfers (I), before considering the revised statutory risk assessment standard under the DUA Act and its application through the TRA / data protection test (II).

Structural reassessment: the ICO’s three-step test for restricted transfers

In this section, we analyse the three-step test as applied to restricted transfers. In practice, a transfer will only be a restricted transfer if the answer to each of Steps 1, 2 and 3 is “yes”. Sections A, B and C address Steps 1, 2 and 3 respectively.

1. Step 1: Does the UK GDPR apply to the processing of the personal information being transferred?
   
   The first step of the updated Guidance frames territorial scope as a threshold issue. Before considering whether UK GDPR Chapter V applies, an organisation must first establish that the UK GDPR applies to the processing of the personal data that is the subject of the transfer.
   
   While the statutory framework under UK GDPR Article 3 remains unchanged, the Guidance highlights the extraterritorial reach under UK GDPR Article 3(2), capturing organisations with no UK presence where processing activities are deliberately directed at the UK through the targeted offering of goods or services or the monitoring of individuals’ behaviour in the UK. Practically, this step requires  organisations to document and evidence their UK nexus (or absence of one) as part of their transfer governance, rather than treating territorial scope as an assumed background condition..
   
   UK GDPR will apply where an organisation is established in the UK and the processing is carried out by, or is inextricably linked to, that establishment, even if the processing itself occurs elsewhere. The ICO’s emphasis on resolving this issue at the outset reflects  a regulatory expectation that territorial analysis forms part of an organisation’s accountability and governance framework.
   
   
2. Step 2: Are we initiating the transfer of personal information to an organisation outside the UK?
   
   The  Guidance sharpens the "restricted transfer" trigger by focusing on who initiates the international transfer of personal data.  The Guidance confirms that a transfer includes both the sending of personal data and making personal data available to an overseas organisation, including by remote access. A transfer is only restricted, where the UK exporter initiates the transfer of personal data to an organisation located outside the UK, such that the transfer must be covered by a mechanism under UK GDPR Chapter V. Initiation is not simply a question of who technically transmits the data. It is determined by who takes the decision (or performs the act) that causes the transfer to take place.
   
   This is the Guidance’s most operationally significant clarification for multi-layered controller/processor arrangements:
   
   - Processor “return” transfers: The ICO confirms that a UK processor returning personal data to an overseas controller is not initiating a restricted transfer where the processor is acting solely on the controller’s instructions and the controller is the controller of that same personal data. In that scenario, the restricted transfer is treated as taking place from the controller to the overseas recipient, not from the UK processor.
   - Processor-initiated transfers: Conversely, where a processor independently initiates a restricted transfer (for example, by appointing a non-UK sub-processor), the processor is responsible for ensuring compliance with UK GDPR Chapter V for that transfer. In those circumstances, the controller’s responsibility is to make reasonable and proportionate checks as part of its UK GDPR Article 28 obligation to ensure that the processor provides sufficient guarantees.
   
   The legal and contractual implication is that responsibility for international transfer compliance must follow initiation and procurement reality, rather than organisational assumptions about who owns transfer risk.
   
   Roles and responsibilities are therefore central to the updated Guidance. The ICO makes clear that: (i) the party that initiates a restricted transfer is responsible for ensuring that the transfer is covered by UK adequacy regulations, appropriate safeguards under UK GDPR Article 46, or (where applicable) a UK GDPR Article 49 derogation; and (ii) this allocation of responsibility applies regardless of whether the initiating party is acting as controller or processor. The Guidance also clarifies that parties who do not initiate a restricted transfer remain subject to their broader UK GDPR obligations, including compliance with the data protection principles, security requirements and accountability obligations. Where appropriate safeguards are relied upon, the initiating party is also responsible for completing the TRA / data protection test. 
   
   
3. Step 3: Is the overseas recipient a separate legal entity?
   
   The third step confirms that UK GDPR Chapter V applies only where the overseas recipient is a separate legal entity. The Guidance provides practical illustrations that are particularly relevant to global operating models:
   
   - Intra-entity transfers between a UK branch and its overseas head office are not restricted transfers, because there is no separate legal entity. 
   - Remote access to personal data by overseas employees of a UK entity does not constitute a restricted transfer, whereas access by an overseas contractor does, because the contractor is a separate legal entity.
   
   The combined effect of Steps 2 and 3 is that the mapping of restricted transfers becomes an entity- and initiation-based exercise - identifying who the legal person is and who initiates the transfer - rather than a simplistic focus on where data is stored or where processing infrastructure is located.

Interpretation of the new risk assessment standards under the DUA Act

We will first examine the move away from the EU-derived “essentially equivalent” formulation to the UK statutory “not materially lower” standard (A), before analysing how that standard is applied in practice through the TRA / “data protection test” (B). 

1. The “not materially lower” standard under the DUA Act
   
   The Guidance does not introduce a new international transfer regime. Instead, it reflects the DUA Act’s revised statutory language for assessing the level of protection required when personal data is transferred outside the UK. In summary, the DUA Act amends the description of the required level of protection for transfers under both (i) UK adequacy regulations and (ii) appropriate safeguards, by adopting the “not materially lower” standard.
   
   Adequacy remains the primary reference point in the ICO’s materials. Where UK adequacy regulations apply to the destination country or sector, the restricted transfer may proceed on that basis without the need to rely on UK GDPR Article 46 safeguards or to carry out a TRA.
   
   The updated adequacy materials also reflect UK-specific mechanisms, including the UK extension to the EU–US Data Privacy Framework (the UK-US data bridge). The Guidance also indicates that organisations may take into account relevant UK government-published analyses when completing a TRA for transfers to the United States under Article 46 safeguards.
   
   The ICO’s Transfer Risk Assessment guidance makes the operational impact clear. Where an organisation relies on a UK GDPR Article 46 safeguard, it must complete a TRA to satisfy itself that the level of protection for individuals’ personal data following the transfer is not materially lower than in the UK, and must implement any additional technical, organisational or contractual measures identified by that assessment. In practice, an Article 46 safeguard is only appropriate if it is properly put in place in a legally binding form and is supported (where required) by a documented TRA / data protection test and the implementation of any supplementary measures identified as necessary.
   
   
2. The evolution from the TRA to the “data protection test”
   
   The Guidance does not remove or dilute the obligation to carry out a TRA before making a restricted transfer that relies on appropriate safeguards. The ICO continues to use the term “TRA” in its guidance, while confirming that UK legislation now refers to this assessment as the “data protection test”.
   
   Where an organisation has previously completed a TRA and concluded that the level of protection was adequate, the ICO considers that assessment to satisfy the data protection test, on the basis that the underlying principle remains unchanged and the Guidance has been updated to reflect the revised statutory wording.
   
   The Guidance on “Completing a TRA” frames the assessment as explicitly risk-based. It identifies two core risk areas: (i) risks of access to personal data by public authorities or other third parties in the destination jurisdiction, and (ii) risks relating to the enforceability of data subject rights and contractual protections. The ICO recognises three approaches to conducting the assessment: use of the ICO’s TRA tool, reference to the EDPB methodology (as a comparator), or reliance on relevant UK government-published analyses where available.
   
   In relation to derogations (including legal claims), the Guidance also reiterates that, where neither adequacy nor appropriate safeguards apply, organisations may rely on UK GDPR Article 49 derogations only where the relevant conditions are met. The ICO’s updated derogations guidance clarifies the scope of the “legal claims” derogation, confirming that it may cover, for example, ongoing or reasonably contemplated litigation, pre-action correspondence, or the obtaining of legal advice, provided that the transfer is necessary for the establishment, exercise or defence of legal claims, and that it is not intended to legitimise routine or repetitive transfers where an appropriate safeguard should instead be used. The Guidance also makes clear that reliance on the legal claims derogation requires necessity for the establishment, exercise or defence of legal claims, and should be applied narrowly.
   
   This leaves organisations in a clearer compliance position where they can evidence: (i) correct scoping under the three-step test, (ii) a reasonable and proportionate TRA / data protection test where appropriate safeguards are relied upon, and (iii) the documented implementation of any supplementary measures required to ensure that the level of protection is not materially lower.

Key Takeaways

The Guidance confirms that the UK continues to diverge, in measured and targeted ways, from the EU’s post-Schrems II international transfer framework, while remaining anchored to UK GDPR Chapter V through adequacy regulations, Article 46 safeguards (supported by a TRA / data protection test), and Article 49 derogations. 

Importantly, the European Commission renewed the UK’s adequacy decisions on 19 December 2025 (until 27 December 2031), indicating that, at least for now, the UK’s legislative and regulatory trajectory has not been regarded as undermining the overall level of protection.

Overall, the Guidance should be read as both (i) a more navigable and practical guidance suite (including the brief guide, FAQs and glossary), and (ii) the ICO’s first consolidated articulation of how DUA Act transfer terminology is intended to operate in practice.

The update also forms part of a wider programme of work by the ICO to develop its international transfers materials further, including additional practical examples and tools. The ICO has indicated that it will publish further examples and case studies, introduce an interactive tool to help organisations identify restricted transfers, and host a webinar to support organisations making (or advising on) restricted transfers

Recommended compliance steps:

• Refresh transfer maps to identify legal entities and transfer initiators.
• Embed the three-step test at the scoping stage of international transfers.
• Update controller-processor and sub-processing contractual provisions to reflect initiation-based allocation of Chapter V responsibilities and UK GDPR Article 28 requirements.
• Where relying on UK GDPR Article 46 safeguards, update TRA templates to reflect the “not materially lower” standard and the ICO’s two-risk-category approach.
• Where relying on a derogation (including legal claims), document clearly why the conditions are met and why an appropriate safeguard is not used.

We regularly advise organisations on international data transfers. If you would like to discuss how the updated ICO guidance affects your organisation, please contact our data protection team.