Info Gov

The Information Commissioner’s Office has launched a new interactive self‑service tool designed to help organisations determine whether their cross-border data sharing arrangements constitute a restricted transfer under the UK GDPR.

The tool, now live on the ICO website, offers tailored guidance for organisations “short on time and need[ing] a helping hand”, providing an indication of how the legislation is likely to apply to a specific transfer scenario. According to the ICO, the tool is based on its established three‑part test, which assesses:

  • whether the UK GDPR applies to the information;
  • whether the data is being sent to an organisation outside the UK; and
  • whether that organisation is a separate legal entity.

Users are asked up to six questions, with the ICO stating that the process “only takes about ten minutes”. While the results are not definitive, the regulator says the tool provides “a reliable indication of how the legislation is likely to apply”, emphasising that controllers remain responsible for ensuring compliance with UK data protection law.

For public bodies, the tool is most likely to assist in procurement, contract management and digital transformation programmes where public sector organisations routinely engage with cloudbased HR and finance systems, international software vendors, global research partners, outsourced service providers or crossborder dataprocessing arrangements 

The tool’s structured questions can help information governance teams and procurement leads:

- identify when a transfer assessment is required 

- flag when a vendor relationship involves a restricted transfer 

- support earlystage risk assessments 

- reduce delays caused by uncertainty 

- provide consistent internal advice 

The ICO has clarified that the tool is not designed for processing carried out for law enforcement purposes under Part 3 of the Data Protection Act 2018, where different rules apply.

Also in this section

Jul 13, 2026

ICO refreshes law enforcement subject access guidance following DUAA 2025

The Information Commissioner's Office has updated its detailed guidance on the right of access under part 3 of the Data Protection Act 2018, incorporating the changes made by the Data (Use and Access) Act 2025 to how competent authorities handle subject access requests for law enforcement processing.
Jul 07, 2026

Section 166 application dismissed after ICO opens fresh investigations into school, council and diocese data sharing

The First-tier Tribunal (General Regulatory Chamber) has dismissed an application under section 166(2) of the Data Protection Act 2018 against the Information Commissioner, despite finding that the regulator's original response to a school employee's data sharing complaint was not an outcome to the Applicant's complaints, because a series of further investigations and outcome letters issued after…

InfoGov Masthead Newsletter 800