New UK safeguard mechanism for international personal data transfers – what organisations need to know

The UK’s new safeguard mechanism for international transfers of personal data came into force on 21 March 2022. Joanna Boag-Thomson discusses what organisations need to know to ensure they are complying with both the UK GDPR and EU GDPR.

23 March 2022

The UK’s new safeguard mechanism for international transfers of personal data came into force on 21 March 2022. Organisations that make restricted transfers of personal data should review their data transfer processes now. Although there is a long transition period for the new UK safeguards (more details on this below), if organisations also transfer personal data under the terms of the EU GDPR then there is a separate deadline of 27 December 2022 for ensuring such transfers use the new form of EU safeguard mechanism. Many UK businesses may not have taken the time to review their international transfers post-Brexit and it is important that they do so now to ensure they are complying with both the UK GDPR and EU GDPR.  

Two new data transfer mechanisms

Two transfer mechanisms have been introduced when making international transfers under the UK GDPR (“UK Transfer Options”). These are: 

  • the International Data Transfer Agreement (IDTA): this is a standard document which can be executed alongside the main contract between the data importer and exporter. Importantly, this only ensures compliance with UK GDPR; and
  • the UK Addendum to the new EU SCCs: organisations required to comply with both the UK GDPR and EU GDPR can rely upon the new EU SCCs as supplemented by the new UK Addendum. 

These transfer tools replace the UK’s reliance on the old EU Standard Contractual Clauses (SCCs) to make restricted transfers to certain jurisdictions. Historically, many organisations implemented old SCCs before the need to consider the UK GDPR. 

Organisations should note that using one of the UK Transfer Options will not be sufficient in itself to ensure compliance with UK GDPR. Organisations will need to carry out a Transfer Risk Assessment to quantify the risks in the specific context of the transfer to decide whether any additional protections need to be put in place. 

Timeline for transition 

There is a transitional period to enable organisations to start using these new mechanisms, and there are a number of key dates that organisations should bear in mind:

  • 21 March 2022: organisations can use the UK Transfer Options for international data transfers that are subject to UK GDPR;
  • 21 September 2022: organisations may continue to enter into new contracts on the basis of the old EU SCCs until this date. From 22 September 2022 organisations must use one of the UK Transfer Options for any new arrangements subject to UK GDPR;
  • 20 March 2024: until this date, all existing contracts entered into on the basis of the old EU SCCs will continue to provide ‘appropriate safeguards’ for the purpose of UK GDPR. From 21 March 2024, any existing transfer arrangements (including those entered into before 22 September 2022 relying on the old EU SCCs) will need to enter into a new agreement based on one of the UK Transfer Options.

What should organisations do?

Organisations should review their international data transfer processes now in order to ensure compliance with the changing UK and EU landscapes. Organisations may now be required to implement new contracts and undertake risk assessments to legally transfer data internationally. 

As noted, the European Union has implemented a shorter timeline for organisations to adopt the use of new SCCs, imposing a deadline of 27 December 2022. This shorter timeline is likely to drive organisations to review their existing data transfers in advance of 2024. For organisations already updating their practices to comply with the EU GDPR and also wishing to ensure compliance with the UK GDPR, the most straightforward approach will likely be to consider a framework using the new EU SCCs alongside the UK Addendum. 

Organisations should not delay carrying out this exercise. December may seem to be some time away but it is better to start the exercise of ensuring compliance with the EU GDPR now – and benefit from updating UK GDPR compliance at the same time. 

Our media and technology team is already helping clients to navigate this transition. If you require similar support or would like more information please contact Joanna Boag-Thomson, Partner in our media and technology team, or your usual Shepherd and Wedderburn contact.