UK International Data Transfers: Plan and Act Quickly | HCLTech

UK International Data Transfers

UK International Data Transfers
November 09, 2022

International data transfers have slipped under the radar for many UK firms over the past year. However, these businesses must now begin preparing for the legally binding reforms of the International Data Transfer Agreement (IDTA), which will come into effect on March 21, 2024.

The IDTA consist of four main parts:

Part 1- Tables of processing information

Part 2- Additional protective provisions

Part 3- Business clauses

Part 4- Mandatory clauses

What does the Agreement say?

The current arrangements utilizing existing UK Standard Contractual Clauses are valid until March 21, 2024. Any new arrangements can be entered into under the new regimes or current UK Standard Contractual Clauses up to September 21, 2022. The latter will only be valid until March 21, 2024.

International data transfers have slipped under the radar for many UK firms over the past year. However, these businesses must now begin preparing for the legally binding reforms of the International Data Transfer Agreement (IDTA).

What happens after September 21, 2022?

New arrangements must be made under the International Data Transfer Agreement or Addendum if an adequacy decision or other exception does not apply.

What happens after March 22, 2024?

All arrangements must be brought under the International Data Transfer Agreement or Addendum if an adequacy decision or other exception does not apply.

What does this mean in practice?

A Transfer Risk Assessment/Transfer Impact Assessment (TRA/TIA) will be required to examine the global component. Organizations must decide whether to include it in their general Data Protection Impact Assessment, which is mandatory for UK GDPR.

To enable a low, medium, or high-risk assessment, TRA/TIAs contain three components, each of which is specified and needs to be considered and documented. These are:

  • The nature of the transfer
  • When there is no adequate regulation, then the character of the destination country
  • The likelihood of danger and the possible effects of the transfer. For instance, the danger of being watched and the resulting damage

To guarantee compliance, organizations' technology, legal, human resources, marketing, and data protection departments will need to coordinate their efforts. To ensure this comprehensive approach permeates an organization, it is advisable to incorporate transfer risk assessments and transfer impact assessments into data protection impact assessments. Should a breach occur, the regulator's perception will almost certainly be influenced by the organization's diligence in this regard.

Get HCL Technologies Insights and Updates delivered to your inbox

More from Sara Magdalena Goldberger