International data transfers have slipped under the radar for many UK firms over the past year. However, these businesses must now begin preparing for the legally binding reforms of the International Data Transfer Agreement (IDTA), which will come into effect on March 21, 2024.
The IDTA consist of four main parts:
Part 1- Tables of processing information
Part 2- Additional protective provisions
Part 3- Business clauses
Part 4- Mandatory clauses
What does the Agreement say?
The current arrangements utilizing existing UK Standard Contractual Clauses are valid until March 21, 2024. Any new arrangements can be entered into under the new regimes or current UK Standard Contractual Clauses up to September 21, 2022. The latter will only be valid until March 21, 2024.
What happens after September 21, 2022?
New arrangements must be made under the International Data Transfer Agreement or Addendum if an adequacy decision or other exception does not apply.
What happens after March 22, 2024?
All arrangements must be brought under the International Data Transfer Agreement or Addendum if an adequacy decision or other exception does not apply.
What does this mean in practice?
A Transfer Risk Assessment/Transfer Impact Assessment (TRA/TIA) will be required to examine the global component. Organizations must decide whether to include it in their general Data Protection Impact Assessment, which is mandatory for UK GDPR.
To enable a low, medium, or high-risk assessment, TRA/TIAs contain three components, each of which is specified and needs to be considered and documented. These are:
- The nature of the transfer
- When there is no adequate regulation, then the character of the destination country
- The likelihood of danger and the possible effects of the transfer. For instance, the danger of being watched and the resulting damage
To guarantee compliance, organizations' technology, legal, human resources, marketing, and data protection departments will need to coordinate their efforts. To ensure this comprehensive approach permeates an organization, it is advisable to incorporate transfer risk assessments and transfer impact assessments into data protection impact assessments. Should a breach occur, the regulator's perception will almost certainly be influenced by the organization's diligence in this regard.