The Information Commissioner’s Office published substantially revised guidance on international transfers of personal data on 15 January 2026.

The update reflects changes introduced by the Data (Use and Access) Act 2025 and introduces a new three-step test designed to help organisations determine whether their data flows constitute a ‘restricted transfer’ requiring formal safeguards under UK GDPR.

The ICO described the update as aimed at simplifying a notoriously complex area of data protection law and making it quicker for organisations to understand and comply with the transfer rules. Alongside the main guidance, the ICO also published a new brief guide, quick-reference FAQs, and a glossary, all specifically designed to support organisations that do not have specialist data protection knowledge or experience

What is the ICO three-step test?

1. Does UK GDPR apply to the processing of the data being transferred?
2. Is your organisation initiating the transfer to an entity outside the UK? and
3. Is that external entity a separate legal entity from you?

If the answer to all three is yes, a restricted transfer is taking place. This matters because restricted transfers require either a UK adequacy decision covering the destination country or an appropriate safeguard – such as the International Data Transfer Agreement (IDTA) or a UK Addendum to EU standard contractual clauses.

One operationally significant clarification in the updated guidance concerns who is responsible for the transfer obligation in processor-to-controller scenarios. The ICO has confirmed that where a UK-based processor returns personal data to a non-UK controller — for example, a UK IT supplier sending data back to its overseas client – that return transfer is not a restricted transfer initiated by the processor, because the processor is acting solely on the controller’s instructions. This differs from the position in parts of the EU and may reduce the need for IDTAs or Transfer Risk Assessments in some common outsourcing arrangements.

Law firms routinely transfer personal data across borders through cloud hosting, use of overseas counsel, international transactions, and third-party suppliers. The new guidance also rebrands the Transfer Risk Assessment as a “data protection test”, and clarifies who is responsible for the transfer obligation when UK processors return data to non-UK controllers.

It is important to note that the ICO continues to use the term ‘Transfer Risk Assessment’ (TRA) in its practical guidance, even though the Data (Use and Access) Act 2025 now refers to this process in statute as a ‘data protection test’. The two terms describe the same compliance requirement: where a restricted transfer relies on an appropriate safeguard such as the IDTA, a TRA must be completed to assess whether the standard of protection for personal data in the destination country is materially lower than under UK GDPR.

For law firms, the practical trigger points for this guidance are likely to include: use of US-based cloud platforms (for example, practice management software or document storage hosted in the US or elsewhere outside the UK); sharing client data with overseas counsel or correspondent law firms; international transactions where client data is shared with counterparties or advisers abroad; and use of any third-party supplier – such as a translation agency, forensic accountant, or costs draftsman  that processes data outside the UK. Firms should not assume that because a supplier has a UK office, all data processing takes place in the UK.

Actions for you:

• Map where personal data flows outside the UK within your firm’s operations, including IT software and suppliers. A data flow mapping exercise does not need to be complex, but it does need to be comprehensive. Common blind spots in law firms include cloud-based practice management systems, overseas document review platforms, and email archiving services.
  
  
• Apply the three-step test to each flow. The ICO has confirmed it will publish an interactive tool to help organisations apply the test. In the meantime, the ICO’s brief guide and quick-reference FAQs, published alongside the main guidance on 15 January 2026, are the most accessible starting points.
  
  
• Where restricted transfers are identified, check whether an adequacy decision applies or whether IDTAs are in place. The UK has granted adequacy decisions to a number of countries including the EU/EEA, but not to the US, which requires either an IDTA or UK Addendum to EU SCCs. Where your firm is relying on a supplier’s existing EU SCCs, check whether the UK Addendum has also been signed; the EU SCCs alone are not valid for UK restricted transfers.
  
  
• The ICO is hosting a webinar on 10 March 2026 to support organisations with these changes. Registration details are available on the ICO’s website. The ICO has also indicated that further guidance on Transfer Risk Assessments and cloud services will be published later in 2026 as part of an ongoing programme of work.