Privacy & Information Security Law Blog

On January 15, 2026, the UK Information Commissioner’s Office (the “ICO”) published updated guidance on international transfers of personal data (the “Guidance”), designed to make it easier and more efficient for organizations to navigate cross-border data flows under the UK General Data Protection Regulation (“UK GDPR”).

The Guidance introduces a ‘three-step test’ to help organizations determine whether their international data transfers are considered “restricted” under the UK GDPR and provides worked examples to assist organizations with their determination. In particular, the test states that organizations should consider the following before undertaking any international transfers of personal data: 

• Step 1: Does the UK GDPR apply to the processing of the personal data the organization is transferring?
• Step 2: Is the organization initiating the transfer of personal data to an organization located outside the UK?
• Step 3: Is the organization that is receiving the personal data a separate legal entity from the transferring organization?

The ICO has also expanded the Guidance to set out distinct roles and responsibilities for organizations making international transfers, and now also provides a brief guide, quick reference FAQs, and a glossary on the subject.

The ICO’s press release indicated that the updates form part of a broader project to develop ICO guidance. Future enhancements will include further guidance on transfer risk assessments, more detailed information on the International Data Transfer Agreement and cloud services, as well as the introduction of an interactive tool to help organizations assess restricted transfers. Case studies and examples reflecting the realities of global data transfers are also expected.

Read the press release here. Read the Guidance here.