ICO Guidance on UK GDPR International Data Transfers

Detected February 6th, 2026

Summary

The UK's Information Commissioner's Office (ICO) has published updated guidance on international transfers of personal data under UK GDPR. The guidance consolidates information on adequacy regulations, appropriate safeguards, transfer risk assessments, and exceptions for restricted transfers.

View original document View source feed page

What changed

The Information Commissioner's Office (ICO) has consolidated and updated its guidance concerning international transfers of personal data under the UK GDPR. This guidance covers key areas such as adequacy regulations (including specific information on the UK Extension for the US), appropriate safeguards (UK IDTA, Addendum, UK BCRs), the process for completing transfer risk assessments (TRAs), and the use of exceptions (derogations) for restricted transfers. It also includes resources like a glossary and FAQs.

Organisations involved in transferring personal data outside the UK must review this guidance to ensure compliance with UK GDPR requirements. While this is an update and consolidation of existing information, it provides clarity on the practical steps and legal frameworks necessary for making restricted transfers. Compliance officers should ensure their internal policies and procedures align with the detailed advice provided, particularly regarding the completion of TRAs and the selection of appropriate safeguards.

Source document (simplified)

International transfers

On this page you’ll find guidance you need to support your international transfers of personal information. It’s suitable for all types of organisation.

Brief guidance

A brief guide to international transfers

The rules about transferring personal information to other countries – including checklists to help you identify and make a 'restricted transfer'.

Detailed guidance

A guide to international transfers

The rules about transferring personal information to other countries – when the rules about transferring information to other countries apply, how to make what we call a 'restricted transfer', and who has responsibility for complying with the rules.

Adequacy regulations

Guidance on adequacy regulations and when they apply – including a list of current UK adequacy regulations. There’s also specific information on the UK’s adequacy regulations for the US (the UK Extension), with checklists to help you comply.

Appropriate safeguards

Guidance on the safeguards permitted under UK GDPR, including the UK IDTA, Addendum and UK BCRs, and when they become appropriate safeguards for restricted transfer of personal information. Previous content on IDTAs and BCRs has been moved here.

Completing a transfer risk assessment

Guidance on what a transfer risk assessment (TRA) is, when you need a TRA, and how to complete one. A TRA is now referred to in UK legislation as a “data protection test” but we still use the term ‘transfer risk assessment’ and TRA in our guidance.

Using an exception

Guidance on the exceptions from the rules on restricted transfers (called “derogations” in the legislation) and when you can use them.

Receiving personal information from the EEA

Guidance about receiving personal information from the EEA – including the EU adequacy decisions for the UK and information to help navigate the UK and EU data protection regimes. It replaces our previous guidance on Data protection and the EU.

Resources

Glossary

A list of frequently used terms or phrases used in this guidance and their definitions.

Quick reference FAQs

Answers to some of the questions we're asked about most often about restricted transfers.

Contact

If you have any feedback or comments on this guidance, please let us know at InternationalTransfersViews@ico.org.uk. This inbox is not monitored for queries about your specific transfers. If you have a specific query, please check our Contact us page to find the right advice service.