From today, UK businesses now have two new transfer tools for use to comply with UK GDPR when making restricted transfers – the International Data Transfer Agreement (IDTA) and the UK Addendum (that hooks onto the New EU SCCs).
Before and after Brexit, UK businesses relied on a set of Standard Contractual Clauses (known as the Old EU SCCs) as the safeguard mechanism for transferring data outside the UK to third countries and international organisations.
These Old EU SCCs were rather restrictive in nature so in June 2021 the European Commission adopted new SCCs (New EU SCCs), however these could only be used by EU parties because the UK had already left the European Union when they were implemented. As a result, UK businesses have had to continue using the Old EU SCCs.
Now the UK government has provided its own transfer mechanism in the form of the IDTA and the UK Addendum for UK businesses to transfer personal data outside the UK to ‘third countries’ or international organisations.
What does this mean for your business?
As a UK data exporter, you now have six months (until the 21 September 2022) to stop using the Old EU SCCs in any new contracts which requires a transfer mechanism and 24 months (21 March 2024) to ensure your entire portfolio of contracts are updated to use either the IDTA or UK addendum.
If you’d like to learn more about restricted transfers and which approach is best to adopt, the IDTA or the addendum, then take a look at our new guide explaining data transfers from the UK.
Transfer Risk Assessments
In addition to implementing the IDTA or UK addendum, organisations must still carry out a transfer risk assessment. This is to ensure there are suitable safeguards in place to provide protection which is essentially equivalent to the principles underpinning UK data protection laws.
Our data protection and cross border compliance expert Lillian Tsang adds:
This is a positive step forward for businesses as the Old EU SCCs only consider the controller-to-controller transfer or the controller-to-processor transfer. The IDTA and the UK addendum provides more practical solutions by including an exporting processor into the contractual relationship.
'Businesses now have two challenges, firstly to assess which approach they should adopt into their contracts, the IDTA or UK addendum. And then to migrate their suite of contracts to these new transfer mechanisms.'
International transfers can be a time consuming and often complex exercise. If you’d like help with any aspect of GDPR, contract remediation or TRAs, our friendly team of data protection and compliance solicitors are here to help.