Transfers of personal data outside the UK have changed since Brexit. Likewise, with the introduction of the International Data Transfer Agreement (IDTA), it is essential that you update your international data transfer policy. Read this article to find out how and why.
Transfers of Personal Data Outside the UK
Article 44 of the UK GDPR states that any transfer of personal data to a third country or an international organisation can only take place where the conditions set out in Chapter 5 of the regulation are met. These conditions include adequacy regulations, appropriate safeguards and binding corporate rules.
Those wishing to process and then transfer personal data or transfer personal data for processing must comply with UK GDPR Articles 44-50. Personal data transfers outside the UK are referred to as ‘restricted transfers’. That is where our International Data Transfer Policy Template comes in handy!
The UK GDPR is closely aligned with the version of the GDPR previously followed by the UK and as of the 28th of June 2021, the EU Commission approved the adequacy decisions for the UK, meaning that the EU has determined the UK’s data protection laws to be robust enough to ensure data can continue to safely flow to the UK from the EU (and EEA).
The UK has carried over the 42 Adequacy Decisions (known in the UK as Adequacy Regulations) already afforded by the EC, so that personal data can continue to be transferred from the UK to those countries now that the UK has left the EU.
Organisations can check the list published by the Secretary of State to see if the relevant country or international organisation has been assessed as having an adequate level of protection via an adequacy regulation. This means that minimal safeguards are then required to transfer data to the third country as the Secretary of State has already undertaken a comprehensive assessment of the protections in place.
Standard Contract Clauses (SCCs)
Without an adequacy regulation in place, organisations must have adequate and appropriate safeguards and measures in place to protect personal data and data subjects when carrying out a restricted transfer.
One such safeguard has been the EU Standard Contract Clauses. However, the UK has been reviewing the UK GDPR since Brexit and is now preparing to enforce the International Data Transfer Agreement (IDTA) and associated IDT Addendum. These will replace the current standard contractual clauses for international transfers from the UK.
What is the International Data Transfer Agreement?
Section 119A of the Data Protection Act 2018 relates to standard clauses for transfers to third countries. It specifies that ‘the Commissioner may issue a document specifying standard data protection clauses which the Commissioner considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR’.
On 2nd February 2022, the Secretary of State laid the International Data Transfer Agreement (IDTA) before Parliament, with an enforcement date of 21st March 2022. Data transfers to a third country or an international organisation without an adequacy regulation can only be made where the appropriate safeguards are in place.
The IDTA and Addendum are the UK’s latest safeguard measures. The ICO have published a wealth of free guidance and information on using the IDTA. They have also published agreement templates that can be used to comply with the safeguarding requirements. They have also published draft guidance on their Transfer Risk Assessment Tool.
International Transfer Policy Template
Ensure compliance with the IDTA measures that came into force on the 22nd March 2022. Know Your Compliance Limited have already updated our existing International Transfer Policy and associated GDPR data protection policy templates. Whether you require a simple Data Protection Policy Template or are looking to join the thousands of organisations already using our UK GDPR Policy Template Toolkit, we can help.
International Transfer Policy Template£25.00 (ex vat)
Legitimate Interests Assessment Template£18.00 (ex vat)
DPO Responsibilities Template£10.00 (ex vat)
GDPR CCTV Policy Template£18.00 (ex vat)
PECR Self Assessment Checklist£25.00 (ex vat)
GDPR Data Protection Policy Template£25.00 (ex vat)
PECR Template Policy Pack£65.00 (ex vat)
GDPR Office Poster Set x 2£12.00 (ex vat)