A long-promised update to guidance has been published by the Information Commissioner’s Office, designed to make it quicker and easier for businesses to understand their obligations when transferring data overseas.

The Information Commissioner’s Office (ICO) has finally published a long-awaited update to its international transfers guidance.  

Those familiar with this complex area of law will know that the updated guidance is long overdue, having been promised for several years. The ICO says the updated guidance is designed to make it quicker and easier for businesses to understand their obligations when transferring data overseas, while supporting responsible data flows that enable innovation and economic growth.

What does the ICO’s new guidance include?

Key improvements include:

  • Clearer content presented as standalone sections instead of one long piece of guidance, covering topics such as adequacy regulations, appropriate safeguards, completing transfer risk assessments, use of exemptions, and receiving personal information from the European Economic Area.
  • A simple, three‑step test to help organisations quickly work out whether they are making a ‘restricted transfer’.
  • New guidance on roles and responsibilities in complex, multilayered transfer scenarios.
  • New language brought in by the Data (Use and Access) Act 2025, such as the standard required for ‘adequacy’, the standard required for ‘safeguards’, and the ‘data protection test’.
  • Additional resources such as a brief guide, quick reference FAQs, and a glossary to support organisations without specialist expertise or experience in making international transfers.

The ICO reported that this update forms part of a wider ongoing project, with more updates forecast regarding transfer risk assessments, the international data transfer agreement, and cloud services involving international transfers. 

In addition, the ICO plans to add an interactive tool to help organisations assess whether a transfer is restricted and provide more examples and case studies that reflect the complexity of global transfer scenarios.

Who is likely to be affected by the new ICO guidance?

If your organisation transfers personal data outside the UK – whether making it accessible via cloud services, or transferring between overseas offices, international suppliers or other external processors – this update is likely to touch several parts of your compliance framework. The new ‘three‑step test’ clarifies when the rules apply, making it easier to identify restricted transfers early in your process. 

The introduction of the new ‘data protection test’ may require you to revisit existing assessments, as it sets a slightly different threshold from the previous EU‑style requirement of ‘essential equivalence’.

Roles and responsibilities are also more clearly defined, which matters in multi‑layered outsourcing chains where multiple processors or sub‑processors sit outside the UK. 

In addition, the ICO has raised the bar for relying on exceptions, meaning you will need to justify necessity and proportionality in order to take advantage of them. 

Overall, the update should streamline compliance in the long-term, but there will be some short-term pain for many organisations needing to update checklists, templates, and internal procedures to stay aligned.

What actions should organisations take to ensure compliance?

A good starting point is to map your international data flows and apply the ICO’s ‘three‑step test’ across each one to determine which transfers fall within the restricted transfer regime. 

Next, review and update your transfer risk assessments to reflect the new ‘data protection test’ and ensure existing documentation does not reference the older ‘essential equivalence’ standard. 

Check agreements involving overseas processors and sub‑processors to make sure responsibilities are allocated correctly – especially where chains of multiple suppliers are involved. 

Finally, refresh internal training so teams understand the new terminology and the updated approach to exceptions. If your organisation relies heavily on cloud services, you should monitor the ICO’s planned further guidance in this area. 

While none of these changes are designed to be disruptive, failing to update outdated processes could mean transfers become non‑compliant.

Key takeaways

  • Map international data follows against the ICO's three-step test.
  • Review and update your transfer risk assessments.
  • Check agreements involving overseas processors and sub‑processors.
  • Deliver training for your teams.

 Looking to prepare and need a helping hand?

Get in touch and let our Data Protection specialists take it from here.

Meet your Data Protection experts

Please be advised that this is an update which we think may be of general interest to our wider client base. The insights are not intended to be exhaustive or targeted at specific sectors as such, and whilst we naturally take every care in putting our articles together, they should not be considered a substitute for obtaining proper legal advice on key issues which your business may face.