• UK businesses that transfer personal data out of the UK to a country not deemed “adequate” by the UK Government will have until 21 March 2024 to update existing contracts to ensure compliance with the General Data Protection Regulation (GDPR).

    The recent £1.04bn fine handed down by the Irish Data Protection Authority to Facebook’s owner, Meta, for breaches of GDPR serves as a potent reminder of the grave consequences of noncompliance and of the importance of businesses’ seeking advice if they are unsure of their duties under the legislation.

    UK GDPR: An Overview

    The UK GDPR restricts the transfer of personal data to receivers outside of the UK where that country is not covered by UK adequacy regulations (i.e. a country that the UK government does not regard as providing adequate protection for individuals’ personal data).

    Any contracts involving restricted data transfers (i.e. transfers of data not covered by the UK adequacy regulations) need to incorporate one of the data protection clauses approved by the UK Information Commissioner’s Office (ICO). This could take the form of either:

    1. an International Data Transfer Agreement (IDTA); or
    2. incorporation of the EU Standard Contractual Clauses (SCC’s) together with the UK’s own Addendum. Importantly, the new SCC’s are not valid for restricted transfers under UK GDPR unless they are issued in conjunction with the UK’s own Addendum.

    Importantly, all contracts on the basis of the old EU Standard Contractual Clauses will only continue to provide adequate protection for the purposes of UK GDPR until 21 March 2024.  From that date, existing contracts dealing with restricted transfers of personal data will need to be transitioned to incorporate either the IDTA or EU SCCs and UK Addendum.

    Which transfer mechanism should I use?

    Ultimately, the transfer mechanism that you use will depend on the personal data that you are transferring.

    1. International Data Transfer Agreement – this is a standalone document providing appropriate safeguards for a restricted transfer of personal data from the UK. This is essentially the UK’s equivalent to the EU SCC’s. The IDTA is likely to be the most appropriate mechanism if your organisation is established in the UK and doesn’t provide any goods or services into the EU.
    2. UK Addendum – this is a short document that is intended to be issued in conjunction with the new EU SCC’s and effectively applies the EU SCC’s to a transfer of personal data from the UK (with some minor UK-specific amendments). This option may be more suitable for UK organisations that have an exposure to EU GDPR anyway – e.g. by being part of a group with one or more entities established in the EU or which offers goods and services to customers in the EU.

    Importantly, it is still necessary to undertake a transfer risk assessment (TRA) of the country to which you are transferring personal data. If the TRA reveals gaps in the protection afforded in that particular country, supplementary measures should be adopted to ensure there is an equivalent level of protection for personal data as in the UK (or EU, as appropriate).

    The ICO has issued a Transfer Risk Assessment Tool, which may be a useful starting point before carrying out your transfer risk assessments. Please note, we are expecting further ICO guidance on how transfer risk assessments should be completed in due course.

    Checklist

    With the impending deadline for incorporating either the IDTA or EU SCC’s and UK Addendum looming, it is advisable that organisations:

    1. Consider data flows – do you transfer personal data outside of the UK and is this necessary in order to meet your purposes? Is it possible that these purposes can be met without transferring personal data outside of the UK?
    2. Review contracts that involve international transfers of personal data – do any of these contracts incorporate legacy/old EU SCC’s that need to be updated to incorporate the IDTA or EU SCC’s and UK Addendum before 21 March 2024?
    3. For any new contracts involving an international transfer of personal data – incorporate the IDTA or EU SCC’s and UK Addendum.
    4. Conduct  or update transfer risk assessments where necessary and consider whether any supplementary measures are required when transferring personal data internationally.

     

    Further guidance and support

    If you require any help or advice on any of the information in this article, please get in touch with our team. Our commercial law solicitors are based in Maidstone and Canterbury and are ready to help with any legal advice you may require so please get in touch today.

     

    This content is correct at time of publication

    Can we help?

    Take a look at our Commercial Law page for useful information, resources, guidance, details of our team and how we may be able to help you

  • Key contact:

    Get in touch

    Please fill out the below form or alternatively you can call us on 01622 690691

      By submitting an enquiry through 'get in touch' your data will only be used to contact you regarding your enquiry. If you subscribe to any of our newsletters, you can unsubscribe any time using the link in the email. Please view our privacy statement for more information