International data transfers under the UK GDPR

Use this step-by-step guide to determine whether your school can lawfully share personal data with countries outside the UK. This includes sending it directly to an international organisation or to be kept on a server abroad.

Last reviewed on 24 March 2022
School types: All · School phases: All
Ref: 36354
Contents
  1. What is an international data transfer?
  2. How has Brexit changed how you transfer data abroad? 
  3. Step 1 - do you really need to transfer the data?
  4. Step 2 - will it be a 'restricted transfer'?
  5. Step 3 - does the receiving country have an 'adequacy regulation'?
  6. Step 4 - do you have an appropriate safeguard in place?
  7. Step 5 - have you carried out a transfer risk assessment? 
  8. Step 6 - is the transfer covered by an exception?

We wrote this article based on ICO guidance and advice from Forbes Solicitors.

What is an international data transfer?

Typical scenarios for a school

You've been asked to share information with a school based abroad, for example:

  • A teacher is moving abroad and the school asks you for an employment reference
  • One of your students moves to a new, international school, and they ask you for the student's past performance data
  • You're using an online service, such as an educational app or cloud storage, which stores the personal data it uses on a server held abroad.

Why do you need to think about this now?

The UK GDPR restricts the transfer of personal data to countries outside of the UK or to international organisations, unless you're covered by one of the provisions set out in this article. 

You should know where any