3 min read

Writen by Sibel Amet

Posted on: March 8, 2024

Action required: Ensure compliance with UK Data Transfer Mechanism

In 2022, the UK government introduced new mechanisms for transferring personal data outside the country. Previously, companies relied on EU Standard Contractual Clauses (EU SCCs) for data transfers. However, post-Brexit, the UK introduced its own alternatives: 

The International Data Transfer Agreement (“IDTA”)

– A equivalent of the EU SCCs for international data transfers for international data transfers from the UK to countries without equivalent privacy laws.

The international data transfer addendum (the “UK Addendum”)

– Amends the EU SCCs so that they are applicable under the UK GDPR for international data transfers from the UK to countries without equivalent privacy laws.

The two documents adopted by the ICO in March 2022 aim to ensure adequate protection for individuals’ data when transferring personal information from the UK to countries without an adequate level of data protection under the UK GDPR. 

A transitional period was granted for businesses to update their data transfer agreements and incorporate the new transfer mechanism. In that regard, agreements signed before 21 September 2022 can rely on old EU SCCs until 21 March 2024 (provided there have been no modifications to the data transfer operations under those agreements).

By 21 March 2024, all agreements relying on the old EU SCCs for UK transfers must have been updated to either the IDTA or UK Addendum.

Any new agreements entered into force since 21 September 2022 must already be incorporating either the IDTA or the UK Addendum.

Next steps:

With the 21 March 2024 deadline approaching, it is recommended that you review your international data transfer agreements. In particular, review any existing agreements incorporating the old EU SCCs to begin updating these over to the new UK SCCs ahead of the statutory deadline.

It’s essential to note that this requirement applies specifically to data controllers who transfer the data of UK data subjects to third countries lacking an appropriate level of data protection.

Failing to update existing arrangements by the end of the grace period, and continuing to transfer personal data to third countries using the EU SCCs will result in a breach of the UK GDPR, and subsequently regulatory enforcement and sanctions. The ICO has the power to impose fines of up to £17.5 million or 4% of the total annual worldwide turnover (whichever is higher in the preceding financial year) on businesses for non-compliance.

What should you do:

Review your current data transfer agreements to incorporate the new UK data transfer mechanism before the mandatory deadline

Contact us at [email protected] for assistance to ensure compliance with the UK GDPR and avoid regulatory enforcement and fines.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

AI Act: Fundamental Rights Impact Assessments (FRIA) – Who, When, Why, and How to Ensure Ethical AI Deployment

The European Union (EU) has positioned itself as a leader in shaping the responsible development an

How the Privacy Act Protects Personal Information in Australia

 As cyber threats loom larger and data breaches become more common, the significance of strong

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy