UK EU data transfers still look aligned, but the work now splits

Every privacy team has a folder named something like international transfers, and inside it lives the spreadsheet everyone pretends is jurisdiction neutral. In 2026, that file is becoming a small trap. Kennedys Law LLP has put the operational issue plainly in its article on applying divergent UK EU transfer rules, tools, and risk assessments. For cloud vendors, AI products, and SaaS providers, the problem is less grand theory than version control. The practical lesson is not that UK GDPR and EU GDPR have become strangers. It is that similarity on the page can hide different work in the file. A sales team may see one customer contract, one support workflow, and one analytics pipeline. Privacy has to see the routing, the legal regime, the transfer mechanism, and the evidence trail.

The transfer question now starts with routing

The ICO says its brief guide to international transfers, published on 15 January 2026, provides checklists to help organisations identify and make a restricted transfer. That is the right starting point, because many compliance failures begin before anyone reaches for a clause library. The first operational question is whether the personal data movement is a restricted transfer under the applicable regime. If the answer is yes, the team needs to know which regime is doing the asking. In practice, that means the data map has to be more useful than a diagram for auditors. It should connect the contract, the product feature, the processor or subprocessor, and the location of the relevant processing. The ICO guide is framed as an introduction, not as a substitute for the detailed guidance, so treating a checklist as the whole compliance file would be optimistic. Optimism is not a transfer mechanism.

The UK file has

a new name for the test The ICO says its detailed guidance on completing a transfer risk assessment was last updated on 15 January 2026. It also says the content of its previous Guide to international transfers has been broken into specific detailed guides, including one on transfer risk assessments. Most importantly for templates, the ICO says the guidance was updated to reflect language brought in by the Data (Use and Access) Act, and that a transfer risk assessment is now referred to in UK legislation as a "data protection test". That does not mean every historic assessment spontaneously combusts. It does mean UK files should show that the organisation applied the UK test, using the current terminology and evidence. The ICO says the guidance is aimed at Data Protection Officers and people with specific data protection responsibilities, which is regulator language for: do not leave this entirely to procurement. A vendor questionnaire can collect facts, but the legal conclusion needs an owner.

Where the EU copy paste habit fails Freshfields says

the UK GDPR regime restricts transfers of personal data outside the UK, and that the ICO published long awaited updates to its guidance in January 2026. Freshfields also says those updates are crucial for organisations processing personal data subject to UK GDPR, and its Part 2 analysis focuses on lawful restricted transfers and key areas of divergence from the equivalent EU approach. That is enough to retire the lazy question, are we GDPR compliant. The better question is, compliant with which transfer regime, for which data flow. For builders, the useful change is procedural. Keep separate UK and EU conclusions where the same product workflow touches both regimes. Update intake forms so they capture the applicable regime, the transfer mechanism being relied on, the assessment owner, and the date of the evidence reviewed. If a vendor says it welcomes updated guidance, translate that as: ask for the actual transfer language, not the blog summary.

The EU side is not parked either LexisNexis UK includes

an MLex note that Microsoft won approval to back the European Commission's defence of a transatlantic data transfer pact before the EU's top court. The note says Microsoft had argued that a decision halting such transfers would alter its legal standing. That is a reminder that EU transfer assumptions can move through litigation as well as regulator guidance. Builders stuck between jurisdictions should design compliance records that can be revised without rebuilding the product workflow. The sensible 2026 posture is boring, which is usually where privacy work belongs. Map the data, identify the restricted transfer, separate the UK and EU analysis where both apply, and keep enough evidence that someone else can understand the decision six months later. Watch for further ICO guidance and EU transfer litigation, but do not wait for perfect symmetry. It is not coming in time for your next vendor review.