You are contacting
The ICO has announced changes regarding sending data outside the UK.
3 minute read
17 May 2022
1. What has changed?
The Information Commissioner’s Office (ICO), which regulates privacy and data protection under the UK GDPR, recently announced changes to the mechanisms for sending personal data overseas.
In particular, the ICO has published new guidance and documents relating to transfers of personal data outside the UK. The key document is the International Data Transfer Agreement (IDTA), which supersedes the old standard contractual clauses (SCCs) that were used by organisations while the UK was still part of the EU. Organisations that transfer personal data subject to the UK GDPR outside the UK to countries that do not have ‘adequacy’ status will therefore need to update existing arrangements accordingly.
If organisations also handle personal data subject to the EU GDPR (for example, personal data concerning customers normally resident in the European Economic Area (EEA)), then it should be noted the old SCCs have been replaced by a new set of SCCs published in. June 2021 by the European Commission. If both the EU GDPR and the UK GDPR apply to personal data that is being transferred internationally, the new EU SCCs can be supplemented by a UK-specific addendum (Addendum) that has been published by the ICO as an alternative to using the IDTA.
2. In what circumstances do the new arrangements apply?
The new requirements are applicable to international transfers of personal data subject to the UK GDPR. This means personal data concerning individuals based in the UK who are offered goods and services or whose behaviour in the UK is monitored. The new requirements can therefore apply to organisations that are not themselves UK-based if they process this kind of personal data.
Similarly, EU arrangements apply to international transfers of personal data subject to the EU GDPR (so personal data concerning EEA-based individuals who are offered goods and or whose behaviour in the EEA is monitored). The EU GDPR continues to apply to UK-based organisations, therefore, to the extent that they process personal data of this kind.
The new requirements apply only when personal data is transferred to countries that do not have an ‘adequacy’ decision in place from either the UK or EU – whichever is relevant (currently the list of such countries for each is the same – with the exception that the EU and UK both recognise each other as adequate). Adequacy decisions are in place for those countries considered to have sufficient data protection measures in place without the need for additional safeguards around data transferred there. The most obvious example of a country where there is no adequacy decision in place – but to which relevant data transfers frequently occur – is the USA.
3. What do I need to do?
Consider the arrangements your organisation has in place covering international transfers of personal data. Where transfers take place, and there is no adequacy decision for the destination country, the appropriate safeguards must be in place in order to comply with the UK GDPR and EU GDPR for any data to which that applies.
To ensure the appropriate safeguards are up to date the data exporter and importer should either:
One of these agreements should also be concluded for any new data transfer arrangements.
Organisations transferring data subject to the EU GDPR should ensure the relevant contracts incorporate the new SCCs as published in June 2021, rather than the old version.
4. When do I need to make the changes?
The UK IDTA and Addendum have been in force and available to use since 21 March 2022. The old EU SCCs alone (without the Addendum) will, however, be considered sufficient to provide the necessary safeguards for all transfers subject to the UK GDPR concluded before 21 September 2022 (providing that the processing operations have not changed), until 21 March 2024. After that date, the Addendum must be used in addition to the new SCCs, or the UK IDTA used as an alternative. This will therefore necessitate some repapering of contracts involving these kind of transfers, which we would recommend starting as soon as possible.
For agreements made after 21 September 2022, the UK IDTA or Addendum should be used from the start of the arrangement.
5. What else should I consider?
To inform decisions about what safeguards are required whenever personal data is being transferred internationally, data exporters are required to undertake and document a transfer risk assessment in each case. It is important to have this in place as part of your internal audit trail in order to demonstrate compliance with the accountability principle under the UK GDPR and EU GDPR.
6. Checklist / summary
Collyer Bristow is happy to advise on the implementation of these new requirements, and the detail of the IDTA/Addendum in your organisation. Please get in touch if you require assistance.
17 May 2022
You are contacting
Please add your details and your areas of interest below
FINDING OUR ARTICLES OF INTEREST? SUBSCRIBE TO RECEIVE THE LATEST CONTENT DIRECT TO YOUR INBOXSubscribe now