Action required: Ensure compliance with UK Data Transfer Mechanism

In 2022, the UK government introduced new mechanisms for transferring personal data outside the country. Previously, companies relied on EU Standard Contractual Clauses (EU SCCs) for data transfers. However, post-Brexit, the UK introduced its own alternatives: 

The International Data Transfer Agreement (“IDTA”)

– A equivalent of the EU SCCs for international data transfers for international data transfers from the UK to countries without equivalent privacy laws.

The international data transfer addendum (the “UK Addendum”)

– Amends the EU SCCs so that they are applicable under the UK GDPR for international data transfers from the UK to countries without equivalent privacy laws.

The two documents adopted by the ICO in March 2022 aim to ensure adequate protection for individuals’ data when transferring personal information from the UK to countries without an adequate level of data protection under the UK GDPR. 

A transitional period was granted for businesses to update their data transfer agreements and incorporate the new transfer mechanism. In that regard, agreements signed before 21 September 2022 can rely on old EU SCCs until 21 March 2024 (provided there have been no modifications to the data transfer operations under those agreements).

By 21 March 2024, all agreements relying on the old EU SCCs for UK transfers must have been updated to either the IDTA or UK Addendum.

Any new agreements entered into force since 21 September 2022 must already be incorporating either the IDTA or the UK Addendum.

Next steps:

With the 21 March 2024 deadline approaching, it is recommended that you review your international data transfer agreements. In particular, review any existing agreements incorporating the old EU SCCs to begin updating these over to the new UK SCCs ahead of the statutory deadline.

It’s essential to note that this requirement applies specifically to data controllers who transfer the data of UK data subjects to third countries lacking an appropriate level of data protection.

Failing to update existing arrangements by the end of the grace period, and continuing to transfer personal data to third countries using the EU SCCs will result in a breach of the UK GDPR, and subsequently regulatory enforcement and sanctions. The ICO has the power to impose fines of up to £17.5 million or 4% of the total annual worldwide turnover (whichever is higher in the preceding financial year) on businesses for non-compliance.

What should you do:

Review your current data transfer agreements to incorporate the new UK data transfer mechanism before the mandatory deadline

Contact us at [email protected] for assistance to ensure compliance with the UK GDPR and avoid regulatory enforcement and fines.