Transferring data out of the UK – Is your business compliant?

Transferring data out of the UK – Is your business compliant?

As of 21 March 2024, contracts and data processing agreements that incorporate the old standard contractual clauses (SCCs) adopted by the European Commission in 2001, 2004, or 2010 are no longer sufficient to ensure compliance with the UK General Data Protection Regulation (UK GDPR) for restricted data transfers.

To recap, two new international data transfer mechanisms were introduced on the 21st of March 2022 to facilitate a restricted transfer of personal data from the UK:

  • The International Data Transfer Agreement (IDTA)
  • The UK Addendum, which allowed UK controllers to use the new EU SCCs with minor modifications via an addendum.

For additional information, read the IDTA and UK addendum explained.

Since that date in March 2022, the old SCCs could not be used for new transfers.  But existing agreements using the old SCCs remained valid for a transitional period until 21 March 2024.

As this deadline has now passed, UK data controllers must now have updated their standard contractual clauses (SCCs) to use the IDTA or UK Addendum or implemented alternative measures to ensure compliance with data protection regulations.

Lillian Tsang, our Senior Data Protection and Privacy Solicitor stresses the consequences of non-compliance:

If your organisation has not yet addressed this issue, it is crucial to take immediate action to ensure compliance with UK data protection regulations and to avoid enforcement actions by the ICO. Also consider that non-compliance can disrupt corporate transactions, supplier partnerships, and contractual agreements, leading to prolonged negotiations or even contract abandonment. Businesses should by now have updated their data transfer arrangements to maintain compliance, mitigate enforcement risks, and ensure smooth business operations.

Other changes relating to international transfers mean that there might not be a need for any clauses at all, for example, if the recipient of the data is based in the United States and has signed up to the US-EU Data Privacy Framework and opted into the UK extension.  However, this would need to be checked on a case-by-case basis.

Our specialist lawyers are on hand to ensure that you have adequate safeguards in place to ensure compliance with relevant data protection regimes.

What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry