- 30 August 2022
- Privacy and Data Protection
There have been many developments relating to how data flows are governed, ranging from the standard contractual clauses (SCCs) to the notable Schrems II decision; following this, the UK was deemed an ‘adequate’ country by the EU in respect of personal data transfers. Earlier this year, the Secretary of State laid before Parliament the International Data Transfer Agreement (IDTA), the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (Addendum) and a document setting out transitional provisions. In a post-Brexit world, the UK has also explored a data protection reform bill to reshape its approach to regulation outside of the EU. So, where are we now with the UK data protection regime and what should organisations look out for?
What is the IDTA and how does it work?
The UK’s independent data protection regulator, the Information Commissioner’s Office (ICO), prepared the IDTA, which came into force on 21 March 2022. Where UK-based organisations will export personal data to third countries (such as the USA), which are not covered by an adequacy decision, they will be able to choose between the IDTA and the Addendum to transfer personal data outside the UK. This will depend on whether the personal data is solely being exported by the UK (where the IDTA would be appropriate), or both the UK and the EEA (where the Addendum would be appropriate, particularly for global organisations). The ICO has provided further guidance on what restricted transfers are in its ‘Guide to the UK General Data Protection Regulation (UK GDPR)’. In general terms, the IDTA contains mandatory clauses which the data importer and exporter will need to comply with, but also provides the opportunity to refer to other data processing and data sharing agreements the parties may have in place.
What are the key dates to look out for?
It is important to note that contracts concluded on or before 21 September 2022 on the basis of the old EU Standard Contractual Clauses (EU SCCs) can remain in place unchanged and will provide adequate safeguards until 21 March 2024, where the data being transferred is only being exported from the UK.
However, for new contracts for data transfers from the UK entered into after 21 September 2022, the UK Addendum to the new EU SCCs or the IDTA will need to be used, though new contracts have been able to adopt these since the IDTA had come into force from 21 March 2022.
Following the UK’s adequacy decision, we see the UK move away from the EU’s approach on data protection to adopt and focus on a risk-based approach with the aim of reducing administrative burdens and supporting economic growth.
What next steps should organisations take?
With these dates in mind, and when considering whether to enter into an IDTA, organisations, particularly in light of any company restructures, mergers or takeovers, should now seek to understand their data flows, particularly in terms of whether there are data flows between the UK, the EEA and/or third countries or if the nature of the processing has changed.
Organisations will then need to undertake a transfer risk assessment to better understand the safeguards and security requirements they will need to implement to protect the personal data.
Importers and exporters will need to be clear on the types of personal data that will be transferred, data subjects, security requirements and any extra protections and safeguards arising from transfer risk assessments. The IDTA considers other separate “linked agreements” in which data importers and exporters will need to consider if such data processing or data sharing agreements includes all the personal data and data flows involved, with consideration to the requirements and terminology in the UK GDPR. For example, it may be that such linked agreements need to be updated to be compliant with the UK GDPR or if the processing of the personal data has changed since the parties entered into a new agreement for services.
In the meantime, we await further guidance on the transfer risk assessment and will monitor how the increasing use of the IDTAs and Addendums will shape the data protection landscape.
Overall, this has been a crucial year for data protection in which, following the UK’s adequacy decision, we see the UK move away from the EU’s approach on data protection to adopt and focus on a risk-based approach with the aim of reducing administrative burdens and supporting economic growth. However, a crucial aspect will be to see whether any further changes to the data protection regime by the UK could risk the UK’s adequacy decision being impacted.
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.
About this article
SubjectUK Data Protection – Where are we now?
ExpertisePrivacy and Data Protection
Published30 August 2022
Read, listen and watch our latest insights
- 30 November 2022
- Privacy and Data Protection
Clarkslegal act for a multi-national company on an International Data Transfer Agreement
We recently acted for the UK arm of a multi-national company in connection with the transfer of personal data to an HR services-provider based in the United States.
- 29 November 2022
Employer who shared personal contact details, tribunal rules unfairly dismissed – Monica Atwal writes for People Management
Monica Atwal, Managing Partner at Clarkslegal LLP comments in the People Management on Sales adviser who gave personal number to customers and waited five months for disciplinary hearing was unfairly dismissed, tribunal rules.
- 28 November 2022
- Corporate and M&A
2023: Investment & Acquisition Opportunities in the Chaos?
2023 is looking like it will be a tough year, but some adaptable entrepreneurs and businesses are viewing the current economic climate as an opportunity. Planning strategic investments in the business and assets of distressed companies. Often these businesses have the potential to thrive but have been affected by circumstances outside their control.
- 23 November 2022
- Privacy and Data Protection
Latest developments in UK data protection and cybersecurity
The UK data protection landscape has been everchanging particularly since the Government’s announcement to reform its data protection legislation following Brexit through the Data Protection and Digital Information Bill, and the updated process on international data transfers.
- 22 November 2022
Imposing new terms on employees: the Twitter dilemma?
Twitter has made headlines yet again after its new owner, Elon Musk, has given employees an ultimatum: work long hours at high intensity, or quit and receive 3 months’ severance pay. Employees were given until Thursday 17 November 2022 to make a decision, which was around 24 hours after the ultimatum was given.