UK Restricted Transfers: Standard data protection clauses by the ICO

As organisations continue to navigate the complexities of data protection laws, staying abreast of key deadlines is paramount. One such deadline relates to organisations involved in restricted transfers of personal data under UK data protection law. The ICO set a critical deadline for organisations that transfer personal data outside the UK. This article explains what you need to do to ensure compliance with the ICO’s directive and the UK GDPR.

The deadline pertains to the validity of old EU standard contractual clauses (SCCs) issued by the European Commission under the previous Data Protection Directive (the old EU SCCs). Note that the EU has also replaced the old EU SCCs and the last month of their validity was December 2022. If your organisation relies on these clauses for restricted transfers in the UK, they are no longer valid for restricted transfers after March 21, 2024. The ICO has issued 2 sets of standard data protection clauses for restricted transfers under the UK GDPR. Organisations must either enter into a new contract based on the International Data Transfer Agreement (IDTA) or annex the Addendum provided by the Information Commissioner’s Office (ICO).

Standard data protection clauses are pre-approved contracts that organisations can use to ensure personal data transferred outside the UK receives adequate protection.

How to determine if this deadline affects your organisation in the UK

If your organisation transfers personal data outside the UK (restricted transfers), you need to act now if you were previously relying on the old EU SCCs. These old SCCs are no longer valid for restricted transfers under UK GDPR after March 21, 2024.

1. Assess your current restricted data transfers

Review your organisation’s current data transfer practices to ascertain whether they involve restricted transfers under the UK GDPR. Do you transfer personal data from the UK to countries outside the UK? If yes, were you previously relying on old EU SCCs approved under the Data Protection Directive for these transfers? Did you answer yes to both questions, then you need to switch to the International Data Transfer Agreement (IDTA) provided by the ICO. If you answered no to the second question, you may not need to take further action.

Note that in the UK, if you currently rely on the new EU SCCs adopted in June 2021, it is not necessary to sign the IDTA; the ICO allows you to annex the Addendum to your existing EU SCCs. However, if the SCCs are old, you will have to stop relying on them completely.

2. Evaluate existing Agreements

Determine when your organisation entered into the contracts. Contracts entered into under the Data Protection Directive are valid only until March 21, 2024, after which any transfer of personal data out of the UK under such Agreements will most likely constitute an illegal transfer of data.

As an indication, the new EU SCCs were adopted in June 2021, therefore any EU SCC document dated before that would be the old version.

The ICO restricted transfers deadline affects my organisation, what can I do?

The UK Information Commissioner’s Office (ICO) offers two options for compliant data transfers after March 21, 2024.

Organisations in the UK can choose to do either of the following:

1. Use the UK International Data Transfer Agreement (IDTA)

This Agreement is specifically designed for restricted transfers under the UK GDPR.

2. Use the UK Addendum with the new EU SCCs

This option allows you to leverage the new EU SCCs (adopted in June 2021) but requires an additional agreement (the Addendum) to ensure compliance with UK GDPR. If your organisation relies on the new EU SCCs, it will need to annex the Addendum to comply. It will not need to enter into an entirely new agreement. Before annexing the UK Addendum to previously signed SCCs, ensure to check with the other contracting party or parties. This ensures that they are aligned on the additional obligations introduced by the UK Addendum.

3. Conduct a Transfer Risk Assessment:

Regardless of the option you choose, you must conduct a transfer risk assessment. This assessment evaluates the potential risks to personal data in the recipient country. This is a requirement by the ICO.

Conclusion

It is essential for organisations to act proactively. Doing this prevents disruptions in data transfers and potential non-compliance with data protection laws. Not sure about how the required changes impact your organisation or need assistance in navigating the required changes? Get in touch with us. We can carry out a quick assessment and design custom-made solutions to align your organisation with the ICO’s directive.

Generally, we can help your organisation stay ahead of compliance requirements and safeguard the integrity of data transfers in accordance with UK data protection laws.

In summary…

  • Review your data transfer practices. Identify all instances where you transfer personal data from the UK to countries outside the UK.
  • Determine if you were using old EU SCCs for these transfers.
  • If the deadline applies to you, explore the IDTA and Addendum options.

Do you need support on data protection, privacy or GDPR? TechGDPR can help.

Request your free consultation

Tags

Show more +