International transfers

Copyright © 2026 LexisNexis

STOP PRESS: This document is being updated to reflect implementation of the Data (Use and Access) Act 2025 (DUAA 2025) which amends the UK GDPR and Data Protection Act 2018. For more guidance on the compliance implications of DUAA 2025, see Practice Note: Data (Use and Access) Act 2025—compliance implications.

This subtopic is intended for private sector commercial organisations in the UK and reflects the UK GDPR. It sets out the legal and practical challenges organisations face when transferring data outside the UK and suggests some risk management measures you may wish to adopt.

The data protection regime on international transfers

All transfers of personal data are subject to the general requirements of Assimilated Regulation (EU) 2016/679, UK General Data Protection Regulation (UK GDPR), eg you must:

  1. have a lawful ground for processing that personal data—see Practice Note: How to process personal data lawfully

  2. provide certain information to data subjects—see Practice Note: Privacy notices—information requirements, and

  3. (where the transfer poses a high risk) complete a data protection impact assessment—see Practice Note: How to complete a data protection

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Existing user? Sign-in TAKE A FREE TRIAL
Powered by Lexis+®
Latest Risk & Compliance News

ICO updates data protection by design guidance following DUAA commencement

The Information Commissioner’s Office (ICO) has published its updated guidance on data protection by design and by default alongside the commencement of key Data (Use and Access) Act 2025 (DUAA 2025) provisions. The guidance clarifies that organisations must build data protection considerations into the design and operation of systems, services, products, and processes, ensuring that only the minimum necessary personal information is collected, used, stored, and accessed for each defined purpose. It explains the need for appropriate technical and organisational measures, including robust security controls, clear retention practices, strong default privacy settings, and regular assessment of risks through data protection impact assessments.

FCDO imposes sanctions on six individuals fuelling Sudan conflict

The Foreign, Commonwealth and Development Office (FCDO) has imposed immediate sanctions on six individuals on 5 February 2026. The measures were announced by the Foreign Secretary, Yvette Cooper, following her visit to the Sudan–Chad border. The sanctions target senior commanders of the Rapid Support Forces and the Sudanese Armed Forces, as well as individuals accused of financing the conflict, procuring weapons and recruiting foreign mercenaries, in response to their alleged roles in fuelling the war in Sudan and enabling serious abuses against civilians. The FCDO stated that the measures aim to increase pressure on those responsible for massacres, sexual violence, forced displacement and other atrocities, particularly in Darfur and Gezira states, and to disrupt the financial and logistical networks sustaining the conflict. The sanctions form part of a wider UK strategy combining enforcement, humanitarian assistance and diplomacy. Under this approach, the UK has committed £146m in aid during the current financial year, is calling for an immediate ceasefire and unhindered humanitarian access, and will prioritise Sudan during its February 2026 presidency of the UN Security Council while co-hosting an international conference in April 2026 to strengthen coordinated international efforts to end the conflict and promote accountability.

OFSI amends General Licence INT/2022/1947936 and UK Financial Sanctions FAQs

The Office of Financial Sanctions Implementation (OFSI) has updated its UK Financial Sanctions frequently asked questions (FAQs), amending FAQs 147 and 148. The OFSI has also amended General Licence INT/2022/1947936 and removed expired General Licence INT/2025/8202932.

Risk & Compliance weekly highlights—5 February 2026

This week's edition of Risk & Compliance weekly highlights includes the commencement of major reforms under the Data (Use and Access) Act 2025 and further insights from the ICO on its 2026 regulatory priorities. It also reports on the European Commission’s adoption of an adequacy decision for Brazil, new UK sanctions against Iranian authorities, updates from OFSI on licensing and enforcement reforms and analysis of the government’s proposed National Police Service and its implications for economic crime enforcement.

View Risk & Compliance by content type :
News
Practice notes
Precedents
Q&As

Popular documents

Can I charge a fee for dealing with a data subject access request?

Can I charge a fee for dealing with a data subject access request?The General Data Protection Regulation (GDPR) provides for enhanced rights for data subjects including providing rights of rectification, erasure and restriction of processing, data portability, a right to object to processing and a

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?What is an appeal?An appeal in insolvency proceedings is no different to an appeal in normal litigation. An appeal will be allowed only if the appeal court is satisfied that the decision of the lower court was 'wrong' or 'unjust because of a

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of caseA strike out order can be made either following an application by the parties or on the court's own initiative. This Practice Note deals with the scenario of the order being made following a party's application.Making an application

Contributory negligence in personal injury claims

Contributory negligence in personal injury claimsContributory negligence is a partial defence which can lead to a discount in damages.Other defences may also be relevant. See Practice Notes: Did the claimant consent to the risk of injury? and Was the claimant involved in an illegal activity?If a
Can I charge a fee for dealing with a data subject access request?

Can I charge a fee for dealing with a data subject access request?

Can I charge a fee for dealing with a data subject access request?The General Data Protection Regulation (GDPR) provides for enhanced rights for data subjects including providing rights of rectification, erasure and restriction of processing, data portability, a right to object to processing and a

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?What is an appeal?An appeal in insolvency proceedings is no different to an appeal in normal litigation. An appeal will be allowed only if the appeal court is satisfied that the decision of the lower court was 'wrong' or 'unjust because of a

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of caseA strike out order can be made either following an application by the parties or on the court's own initiative. This Practice Note deals with the scenario of the order being made following a party's application.Making an application

Contributory negligence in personal injury claims

Contributory negligence in personal injury claims

Contributory negligence in personal injury claimsContributory negligence is a partial defence which can lead to a discount in damages.Other defences may also be relevant. See Practice Notes: Did the claimant consent to the risk of injury? and Was the claimant involved in an illegal activity?If a