GDPR Cross-Border Outsourcing Checklist

Identify all personal data categories being transferred

Map every category of personal data that will leave UK jurisdiction: names, addresses, ID documents, financial records, health data, employment records. Special category data (Article 9) requires additional safeguards.

Confirm you have a lawful basis for the processing itself

Before addressing the transfer, confirm that the underlying processing has a lawful basis under UK GDPR Article 6 (and Article 9 for special category data). The transfer mechanism does not replace the need for a processing lawful basis.

Determine whether Kenya holds UK adequacy status

As of 2026, Kenya does not hold a UK adequacy decision. This means you must rely on Article 46 safeguards. Check the ICO’s adequacy decisions page for any updates.

Select the appropriate transfer mechanism

For UK–Kenya transfers, the IDTA is the standard mechanism. Alternatives include binding corporate rules (for intra-group transfers) or Article 49 derogations (limited circumstances only). The IDTA is the recommended default.

Complete the International Data Transfer Agreement (IDTA)

The IDTA is a mandatory legal document issued by the ICO (template available on ico.org.uk). Both the data exporter (your firm) and data importer (the provider in Kenya) must execute it. The IDTA must specify the data categories, transfer purpose, importer obligations, and data subject rights.

Complete a Transfer Risk Assessment (TRA)

Assess whether the legal framework in Kenya provides ‘essentially equivalent’ protection to UK GDPR. Consider: Kenya’s DPA 2019 (GDPR-modelled), the ODPC’s supervisory powers, rule of law, and government access to data. Document the assessment and retain it for ICO accountability.

Assess supplementary measures (if needed)

If the TRA identifies gaps, implement supplementary technical, contractual, or organisational measures. For Kenya, supplementary measures are typically limited to encryption in transit and access controls, as the legal framework is already GDPR-modelled.

Execute a Data Processing Agreement (DPA)

A UK GDPR Article 28 compliant DPA must be in place between the data controller (your firm) and data processor (the provider). The DPA must specify: processing purpose, duration, data categories, processor obligations, sub-processor requirements, and data breach notification procedures.

Record the transfer in your data processing register

Your Article 30 records of processing activities must include: the categories of personal data transferred, the recipient in Kenya, the transfer mechanism (IDTA), and the safeguards in place.

Update your privacy notice

Your privacy notice must inform data subjects that their personal data may be transferred to Kenya, the safeguard used (IDTA), and how they can obtain a copy of the IDTA.

Complete a Data Protection Impact Assessment (DPIA) if required

If the transfer involves high-risk processing (large-scale monitoring, special category data, or new technology), a DPIA under Article 35 is mandatory. Consult the ICO’s screening checklist.

Retain all documentation for ICO accountability

Under the accountability principle (Article 5(2)), you must be able to demonstrate compliance. Retain signed IDTAs, TRAs, DPAs, DPIAs, and records of processing activities. These must be producible on request.

Encryption in transit and at rest

All personal data must be encrypted during transfer (TLS 1.2+) and at rest in the receiving environment. Confirm the provider’s encryption standards and key management practices.

Access controls and authentication

VPN with IP whitelisting, multi-factor authentication, and role-based access controls must be in place. No personal data should be accessible from unmanaged devices.

Data minimisation enforced

Only the personal data strictly necessary for the processing purpose should be transferred. Do not transfer entire databases when a subset will suffice.

Audit trail and logging

All access to personal data must be logged with user ID, timestamp, and action performed. Logs must be retained for a minimum period aligned with your data retention policy.

Periodic TRA review scheduled

Transfer Risk Assessments are not one-off exercises. Review annually or whenever there is a material change in Kenya’s legal framework, the provider’s circumstances, or the data categories transferred. Document each review.

Breach response procedure tested

Your data breach response plan must cover cross-border scenarios. Confirm that the provider can notify you within the agreed timeframe (typically 24 hours). Test the notification chain at least annually.