6 Steps to Manage International Data Transfers from the UK

June 2024

UK data protection law requires us to carefully consider and have specific measures in place to protect personal data and the rights of individuals when it’s transferred overseas.

Other jurisdictions have similar rules. For example, there are restrictions on personal data transfers from the European Union, Brazil, UAE, New Zealand and Singapore, to name a few.

In this article I’m focusing on UK-based organisations who a looking to transfer personal data outside the UK, and the key steps to take.

BALANCING THE RISKS

Tackling international data transfer can feel complex and overwhelming, but it really pays to make sure relevant stakeholders in your business are familiar with the requirements and understand the potential risks. Sometimes you may have limited control over the terms under which you do business with others. There will be times where there’s no room for negotiation on the terms. Where this is the case, a balance will need to be struck on the business necessity of entering the contract and the potential risks should restricted transfers not be adequately covered. Do you walk away and find a different solution, or accept the risk?

STEP 1: IDENTIFY PERSONAL DATA TRANSFERS

First you need to check if what you’re planning to do constitutes a restricted international data transfer.

🚩 Are you transferring or sharing personal data with an organisation located outside the UK? This could be a new supplier/service provider or another organisation you need to share data with.

🚩 Are you making personal data available to another entity located outside the UK? Can the data be accessed by another entity’s employees?

The receiver of the personal data could be a separate company, a public body, a sole trader or another legal entity within a group of companies. Here are some examples:

Suppliers based outside the UK

Transferring or permitted access to your personal data, when using a supplier/service provider based in US, India, France, Australia or anywhere else in the world.

Partner organisations based outside the UK

Sharing personal data with any organisation based overseas, who may be using the personal data for their own purposes. This includes sending paper or electronic documents, by email or post, or permitting another organisation to access to your systems.

Group entities based outside the UK

Sharing employee, customers or any other personal data with a separate legal entity within your corporate group which is located outside the UK. This includes employees working for an overseas entity having access to personal data on the UK organisation’s systems.

Important note: It would not constitute a restricted transfer if someone employed by a UK-based company accesses personal data from overseas. For example a colleague on a business trip can access UK systems from anywhere in the World.

STEP 2: CHECK IF AN EXCEPTION APPLIES

There are some limited exceptions, where you don’t need an adequacy decision or other safeguard mechanism. The ICO makes it clear most exceptions include the word ‘necessary’ and while this doesn’t mean the transfer has to be absolute essential, it ‘must be more than just useful and standard practice’.

To rely on an exception you need to assess whether the transfer is objectively necessary and proportionate, and can’t reasonably be achieved in another way. Exceptions are most likely to be appropriate for occasional transfers, a low volume of data and where there is a low risk of harm when personal data is transferred. Here are some of the most popular exemptions, and a full list can be found here.

📌 Explicit Consent – the transfer is done with the explicit consent of the individual whose data is being transferred, and where they are informed of possible risks.

📌 Contract – where the transfer is necessary for the performance of a contract between the individual and the organisation or for necessary pre-contractual steps.

📌 Public Interests – the transfer is necessary for important reasons of public interest.

📌 Legal Necessity – the transfer is necessary for the establishment exercise or defence of legal claims.

📌 Vital Interests – the transfer is necessary to protect people’s vital interests (i.e. in a critical life or death situation) where the individual cannot legally or physically give

STEP 3: CHECK IF DESTINATION COUNTRY HAS AN ADEQUACY DECISION

If a country has been awarded ‘adequacy’ there is no legal requirement for any further additional safeguards. Adequacy status is awarded to certain countries who have been judged to have a similar level of data protection standards within the UK. An adequacy decision essentially allows for the free flow of personal data between the UK and another country.

Adequacy decisions are kept under regular review, and can be overturned, so some organisations take a belt and braces approach and adopt additional safeguards.

European Economic Area / UK 

The European Commission has granted the UK with ‘adequacy’ for the time being, and this is reciprocated by the UK. Therefore, personal data can flow freely between the UK and countries in the EEA. This includes the EU member states and the EFTA states.
Other adequate countries. The UK adopted all EU adequacy decisions as of January 2021. Therefore personal data can flow freely between the UK and countries such as Switzerland, New Zealand, Uruguay, Israel and Japan.

See a full list of European Commission Adequacy Decisions. The UK Government has the power to make its own ‘adequacy decisions’ on countries it deems acceptable for transfers from the UK.

United States

The ‘UK-US Data Bridge’ came into play in the Autumn of 2023. This extension to the EU-US Data Privacy Framework (DPF) permits the free flow of personal data between the UK and US, but only if the US company has:

    • self-certified and meets the principles of the DPF, and
    • signed up to the UK ‘data bridge’ extension.

For a list of self-certified organisations see US Department of Commerce DPF

STEP 4: SELECT A SAFEGUARD MECHANISM (IF NECESSARY)

If there is not an adequacy decision for the destination country and you aren’t able to rely on a limited exception, there’s a requirement to make sure specific provisions are in place. Organisations have the following options in order to comply with UK GDPR.

📌 UK International Data Transfer Agreement (IDTA)

This is a standalone legal contract which has been published by the UK ICO. Its purpose is to safeguard personal data which is sent outside of the UK.

📌 EU Standard Contractual Clauses (SCCs) with UK Addendum

The EU SCCs are contracts which have been produced by the European Commission for the purpose of safeguarding personal data sent outside the EU. The ICO stresses EU SCCs are not valid for restricted transfers under UK GDPR on their own; it’s necessary to use the UK Addendum as well. It’s also worth noting new EU SCCs were published in 2021 and the old versions are no longer valid for UK organisations to use, so make sure you haven’t got any outdated SCCs lurking in existing contracts.

📌 Binding Corporate Rules (BCRs)

BCRs can be used as a safeguard for intra-group transfers. Some global organisations have gone down this route, but is onerous and takes a considerable amount of time as BCRs must be approved by a relevant data protection authority (such as the ICO). Therefore many organisations opt for EU SCCs with UK Addendum, or the IDTA.

📌 Other safeguards

Other safeguards measures include approved codes of conduct, approved certification mechanisms, or legally binding and enforcement instruments between public authorities or bodies.

STEP 5: CONDUCT TRANSFER RISK ASSESSMENT (IF NECESSARY)

If you are looking to rely on the IDTA, or EU SCCs with the UK Addendum, there’s a requirement to conduct a Transfer Risk Assessment (TRA). This is a written assessment to determine whether personal data will be adequately protected and to assess the likelihood and severity of risks to people’s fundamental rights and freedoms. A key aspect of this is assessing whether foreign Governments or public bodies could override the safeguard measures you have in place

The ICO has published TRA Guidance, which includes a TRA tool; a template document of questions and guidance to help businesses carry out a TRA. You can also use the EU alternative Transfer Impact Assessment (TIA).

STEP 6: KEEP UNDER REVIEW

The rules relating to international data transfers have been subject to a number of significant legal rulings and changes over the past decade, and it’s therefore important to keep abreast of developments; new adequacy decisions may be issued, and existing decisions could be overturned.

An area to definitely keep an eye on is the EU’s adequacy decision for the UK.  This is expected to last until June 2025, but is up for review. It could be extended, but if it isn’t it will expire on 27 June 2025.