21 March 2024 should be a date highlighted in the calendars of all British organisations which send personal data out of the United Kingdom.
Moving personal data (of customers, employees, trading partners, etc.) from the UK to countries and territories which do not have equivalent data protection laws is what is known as a ‘restricted transfer’, requiring one of the protections (‘appropriate safeguards’) in Chapter V of the UK GDPR to be applied to the transfer before it can lawfully go ahead. One of the most commonly-used Chapter V safeguards among UK data exporter organisations is a contractual mechanism known as ‘standard contractual clauses’ or ‘SCCs’. The SCCs can either be standalone contracts or provisions inserted into another contractual document, such as a data sharing agreement or data processing agreement between the data transferor/exporter and the data recipient/importer. There are two types of SCCs – the EU version, which has been around in one form or another for more than 20 years, and the more recent UK-only ones, from 2022.
21 March 2024 is the backstop date established by the Information Commissioner’s Office (ICO), the UK’s data protection regulator, for organisations which export personal data outside the UK to stop using the ‘old’ form EU SCCs in their contracts regulating such transfers. Instead, UK organisations need to convert or ‘repaper’ their contracts by the deadline, either to incorporate the ICO’s own UK SCCs (known as the ‘International Data Transfer Agreement’ or ‘IDTA’), or use the newer version of the EU SCCs. These latter EU SCCs, which date from June 2021, need to be used in conjunction with an ICO document called the ‘UK Addendum’. The addendum basically modifies the wording of the 2021 EU SCCs to make the EU clauses align with the UK international data transfer standard, the IDTA. If a UK business exports the data of both UK citizens and EU citizens, then the EU SCCs (protecting the EU people’s data) plus the UK Addendum (to guarantee the UK people’s privacy rights) is the way forward for such organisations.
The requirements of the 21 March 2024 cut-off date are a legacy of two of the most important developments in international data protection law in recent years: the Schrems II case of 2020 (which precipitated the EU into producing its new SCCs in 2021); and the UK leaving the European Union (indeed, it is probably the last major ‘loose end’ knock-on effect of Brexit, in terms of cross-border data transfers, to be tied up).
Following Brexit in late 2020, the ICO introduced its own set of SCCs, the IDTA, in March 2022. Any new contracts entered into from 21 September 2022 must have employed either the IDTA, or the new EU SCCs together with the Addendum. However, the regulator allowed an 18-month ‘sunset period’ from September 2022 for British organisations with contracts dated before 21 September 2022 containing the old pre-2021 EU SCCs, to continue using these. That sunset period is now drawing to a close.
In the run-up to the deadline, URM recommends that your organisation reviews its contracts which include international transfers of data. Probably the best place to identify these is in your record of processing activities or (ROPA) - particularly any existing agreements incorporating the old EU SCCs, so you can begin changing these over to the new UK SCCs in good time.
How URM can help
If your organisation needs assistance with updating the SCCs you have used, or with any other aspect of GDPR compliance,, URM can leverage our 17-years of experience in helping organisations comply with data protection (DP) legislation to offer you guidance and support in your compliance journey. If needed, a URM GDPR consultant can assist you with your development of a ROPA, which will allow you to identify contracts that include international data transfers and potentially out of date SCCs. Meanwhile, if you want to learn more about performing data transfers in compliance with the Regulation, our half-day training course on ‘Conducting Data Transfer Impact Assessments' (DTIAs) will provide you with up-to-date, practical guidance on DTIAs – the cornerstone of any controller’s compliance effort when transferring data outside the UK/EU.
However, the scope of the GDPR consultancy services we offer extends far beyond this. Our large team of experienced and highly qualified GDPR consultants can support you with every stage of your compliance project, from conducting gap analysis of your current processing practices against the requirements of the Regulation, through to providing full remediation support. For organisations that require ongoing GDPR consultancy to maintain regulatory compliance, we also offer a virtual data protection officer (DPO) service which provides you with access to a team of DP experts. If your organisation receives data subject access requests (DSARs), we can help you process and respond to these requests in full compliance with the legislation by offering a GDPR DSAR redaction service. If you feel you would benefit from learning more about DSAR requests, you can also attend one of our 1-day DSAR training courses, led by a practising DP consultant. Likewise attending URM’s ‘Conducting Data Protection Impact Assessments’ training will allow you to return to your workplace with a strong understanding of when you need to conduct a DPIA, how you can approach them, common mistakes to avoid, and more.
Does your organisation fully comply with the General Data Protection Regulation (GDPR)?
There is some confusion about the difference between personal data and sensitive personal data and even whether sensitive personal data exists as a term!
Why can it still be challenging to gain traction on your GDPR compliance project?