UK International Data Transfer Agreement

|
|
|
PUBLISHED on
13
June
2022

On 2 February 2022, the Information Commissioner’s Office (ICO) laid before Parliament changes around restricted international personal data transfers. The international data transfer agreement (IDTA) and the UK Addendum to the current European Commission’s standard contractual clauses (SCCs) are the next steps in providing a transfer tool for complying with the UK GDPR when conducting restricted transfers of personal data.

Background

As part of Brexit post the EU referendum, the EU GDPR was adopted as UK law through the Data Protection Act (2018), known as ‘UK GDPR’. The UK left the EU on 31 January 2020 and entered a transition period until 31 December 2020.

At the end of that transition period, the ICO adopted the approach that transfers of personal data outside of the UK could temporarily rely on the EU provisions for restricted transfers, namely the EU SCCs. Since then, the EU has updated the SCCs, which many organisations have adopted.

These SCCs, however, have not been included in the UK GDPR, as the ICO is developing a UK-specific framework for personal data transfers. This framework includes the ICO’s own scheme for determining whether the recipient country (data importer) provides an ‘adequate’ level of protection of individual rights over the processing of their personal data in a third country.

Why is this Needed?

On 16 July 2020, the Court of Justice of the European Union (CJEU) issued its judgment on the adequacy of previous safeguards, i.e., the Privacy Shield and the previous EU SCCs designed to safeguard transfers of personal data to the United States, now commonly known as Schrems II. As a result, the Privacy Shield scheme was ruled unlawful, and the EU SCCs were swiftly updated and transitional arrangements applied. This judgement forced organisations across the UK and EU to carefully consider arrangements for making restricted transfers, not just to the USA but to any country that does not have a decision of ‘adequacy’.


The UK ICO defines a transfer as being restricted if:

  • The UK GDPR applies to the personal data being transferred
  • The data exporter is sending data or making it accessible to a data receiver/importer to whom the UK GDPR does not apply
  • The importer is a separate organisation or individual (including another organisation in the same corporate group). part of Brexit post the EU referendum, the EU GDPR was adopted as UK law through the Data Protection Act (2018), known as ‘UK GDPR’. The UK left the EU on 31 January 2020 and entered a transition period until 31 December 2020

At the end of that transition period, the ICO adopted the approach that transfers of personal data outside of the UK could temporarily rely on the EU provisions for restricted transfers, namely the EU SCCs. Since then, the EU has updated the SCCs, which many organisations have adopted.

These SCCs, however, have not been included in the UK GDPR, as the ICO is developing a UK-specific framework for personal data transfers. This framework includes the ICO’s own scheme for determining whether the recipient country (data importer) provides an ‘adequate’ level of protection of individual rights over the processing of their personal data in a third country.

What’s Changing?

After 21 September 2022, organisations processing UK personal data must use the IDTA or the UK Addendum if they want to enter into new arrangements for transfers which are subject to the UK GDPR, and any existing arrangements for UK transfers based on the old EU SCCs must be replaced by 21 March 2024.

For EU organisations which need to transition their arrangements for EU data transfers to the new EU SCCs, these need to be completed by 27 December 2022, a much shorter timescale!
It is important to note that the IDTA and UK addendum are only intended to legitimise restricted international transfers and do not include controller to processor clauses defined in UK GDPR and EU GDPR Article 28 – these are expected to be included in a separate commercial agreement/contract governing the processing or referenced within the IDTA.

Implications and Next Steps

  1. Review and update intracompany agreements – if you have transfer agreements within your organisation, for example from UK to US entities, these need to be reviewed and updated to use either the IDTA or the ‘new’ EU SCCs and UK Addendum.
  2. Conduct or review personal data transfer risk assessments – transfer risk assessments (TRAs) must be conducted for any existing or potential new restricted transfers. See URM’s previous blog to help determine when these should be carried out, as well as why they are required.
  3. Review data sharing agreements with suppliers – review agreements with suppliers to determine if SCCs are, or should be, within the data sharing agreements. Where they are, these should be updated to include either the IDTA or the ‘new’ EU SCCs and UK Addendum.
  4. Implement law enforcement request policy – if your organisation has any entities in jurisdictions where law enforcement can issue subpoenas or warrants for disclosure of personal data, a policy should be developed on how these will be responded to.

How URM Can Help

In this blog, we have provided a high-level overview of what UK data exporters need to know about restricted transfers, and the new changes. We have also outlined the key next steps data exporters should take to ensure international data transfers are sufficiently safeguarded.
If you think this new requirement may have an impact on your organisation, URM’s team of data protection consultants can provide pragmatic, expert and tailored advice.

Gain a sound grounding and practical interpretation of the GDPR and the DPA 2018!

By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
Thumbnail of the Blog Illustration
Data Protection
Published on
19/1/2024
Analysis of Fines Imposed by the Information Commissioner’s Office in 2023

URM’s blog breaks down the fines issued by the ICO in 2023 for data protection breaches, highlighting emerging trends in their approach to enforcing compliance.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
8/6/2022
Who Needs a ROPA and Why?

Under the UK GDPR, the majority of organisations processing personal data are required to create and maintain a ROPAs

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
30/8/2024
The ICO Issues its First Notice of Intention to Fine a Data Processor

URM’s blog explores the first provisional monetary penalty imposed by the ICO exclusively on a data processor & the lessons that can be learned from the case.

Read more
I am pleased to share my experience with the Cyber Essentials Plus (CE+) Scheme. This certification has been invaluable to Case Pilots in helping us protect ourselves from cyber threats. The comprehensive and user-friendly process provided by URM Consulting gave me a deep understanding of the latest threats, vulnerabilities and best practices in cyber security. The assessors were highly knowledgeable, experienced and able to explain each step of the process clearly and concisely. What I particularly appreciated about the CE+ scheme was its relevance to the real world. The training covered not only the fundamental principles, but also advanced techniques and strategies that are used by professionals to protect their systems and data. Achieving the certification demonstrates to our clients that we are committed to cyber security and that we have the knowledge and skills to protect their data. I highly recommend the Cyber Essentials Plus Scheme to any organisation that is serious about cyber security.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.