UK Data Protection – Where are we now?

There have been many developments relating to how data flows are governed, ranging from the standard contractual clauses (SCCs) to the notable Schrems II decision; following this, the UK was deemed an ‘adequate’ country by the EU in respect of personal data transfers. Earlier this year, the Secretary of State laid before Parliament the International Data Transfer Agreement (IDTA), the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (Addendum) and a document setting out transitional provisions. In a post-Brexit world, the UK has also explored a data protection reform bill to reshape its approach to regulation outside of the EU. So, where are we now with the UK data protection regime and what should organisations look out for?

What is the IDTA and how does it work?

The UK’s independent data protection regulator, the Information Commissioner’s Office (ICO), prepared the IDTA, which came into force on 21 March 2022. Where UK-based organisations will export personal data to third countries (such as the USA), which are not covered by an adequacy decision, they will be able to choose between the IDTA and the Addendum to transfer personal data outside the UK. This will depend on whether the personal data is solely being exported by the UK (where the IDTA would be appropriate), or both the UK and the EEA (where the Addendum would be appropriate, particularly for global organisations). The ICO has provided further guidance on what restricted transfers are in its ‘Guide to the UK General Data Protection Regulation (UK GDPR)’. In general terms, the IDTA contains mandatory clauses which the data importer and exporter will need to comply with, but also provides the opportunity to refer to other data processing and data sharing agreements the parties may have in place.

What are the key dates to look out for?

It is important to note that contracts concluded on or before 21 September 2022 on the basis of the old EU Standard Contractual Clauses (EU SCCs) can remain in place unchanged and will provide adequate safeguards until 21 March 2024, where the data being transferred is only being exported from the UK.

However, for new contracts for data transfers from the UK entered into after 21 September 2022, the UK Addendum to the new EU SCCs or the IDTA will need to be used, though new contracts have been able to adopt these since the IDTA had come into force from 21 March 2022.

What next steps should organisations take?

With these dates in mind, and when considering whether to enter into an IDTA, organisations, particularly in light of any company restructures, mergers or takeovers, should now seek to understand their data flows, particularly in terms of whether there are data flows between the UK, the EEA and/or third countries or if the nature of the processing has changed.

Organisations will then need to undertake a transfer risk assessment to better understand the safeguards and security requirements they will need to implement to protect the personal data.

Importers and exporters will need to be clear on the types of personal data that will be transferred, data subjects, security requirements and any extra protections and safeguards arising from transfer risk assessments. The IDTA considers other separate “linked agreements” in which data importers and exporters will need to consider if such data processing or data sharing agreements includes all the personal data and data flows involved, with consideration to the requirements and terminology in the UK GDPR. For example, it may be that such linked agreements need to be updated to be compliant with the UK GDPR or if the processing of the personal data has changed since the parties entered into a new agreement for services.

In the meantime, we await further guidance on the transfer risk assessment and will monitor how the increasing use of the IDTAs and Addendums will shape the data protection landscape.

Overall, this has been a crucial year for data protection in which, following the UK’s adequacy decision, we see the UK move away from the EU’s approach on data protection to adopt and focus on a risk-based approach with the aim of reducing administrative burdens and supporting economic growth. However, a crucial aspect will be to see whether any further changes to the data protection regime by the UK could risk the UK’s adequacy decision being impacted.