The law is changing on international transfers of personal data

Thursday 10th February 2022

On January 28, 2022, the Information Commissioner’s Office (ICO) announced that the proposed International Data Transfer Agreement (IDTA) and the Addendum to the existing EU Standard Contractual Clauses (Addendum) had been laid before Parliament. If there are no objections, the documents will come into force on 21 March 2022 and will act as a tool to govern many international transfers of personal data.

What is the IDTA and what does it mean for businesses?

The ICO has designated the IDTA as one of the UK GDPR’s ‘appropriate safeguards’ and will, alongside other mandatory steps, allow data controllers to transfer personal data from the UK to ‘third countries’ which do not offer an equivalent level of protection to that afforded under the UK GDPR.

In short, relevant contracts going forward will need to incorporate the IDTA or Addendum, and existing contracts will need to be updated following a proposed grace period of two years (for contracts signed before September 21, 2022).

The IDTA is a flexible data transfer tool and will replace the existing Standard Contractual Clauses (SCCs) currently being used by UK businesses post Brexit which currently only account for controller-controller and controller-processor data transfers (which are an awkward fit for many arrangements, such as processor-processor relationships).

Making a restricted transfer using the IDTA also requires the party exporting the data – known as the ‘Data Exporter’ – to carry out a Transfer Risk Assessment (TRA). The TRA must assess the facts of the restricted transfer, the laws and data regimes of the destination country and the potential impact on individuals.

The aim of the TRA is to enable the exporter to decide whether the IDTA on its own provides appropriate safeguards for the restricted transfer, or whether extra steps need to be taken to protect the data in question.

Whilst this enhances individual privacy rights, these changes will no doubt require time and investment from businesses who have already significantly invested in their data protection compliance programmes ahead of the introduction of the GDPR in 2018. We should see more regulatory guidance in the coming months in this area.

What steps should organisations be taking now?

Ahead of the new documents coming into force and updated guidance from the ICO, a key first step for organisations transferring personal data outside of the UK is to start mapping existing and pipeline flows of personal data outside of the UK to identify: (i) which existing contracts will need to be varied; and (ii) which pipeline relationships will require new template contractual documentation.

If you would like to discuss your business’ data protection needs and how to remain compliant in light of these changes, get in touch with one of our Privacy and Data Protection experts.

If you’re a retail business in the UK, stay up to date with the latest legal and regulatory changes on the horizon with our 2022 Retail Snapshot here.