Legal Insights

UK data transfers – one year on and one year to go to ensure compliance!

By Vicki Howe, Sonia Sharma

• 21 March 2023 • 14 min read
  • Share

One year ago today, we published the article, 'Time to check your personal data transfer from the UK - new rules in place today!' announcing that the highly anticipated new rules for personal data transfers to countries outside the United Kingdom (UK) came into force. Since then, some important deadlines have passed with others still looming ahead. In this article our GDPR specialists break down what has happened and what organisations should be doing now.

For further information and context on the introduction to these rules, see 'Time to check your personal data transfer from the UK - new rules in place today!'

If your organisation is transferring or receiving personal data outside of the UK or EU, you may need to comply with the data transfer rules under the UK General Data Protection Regulation (UK GDPR) or EU General Data Protection Regulation (EU GDPR).

With only one year to go until organisations can no longer rely on the old EU standard contractual clauses (old EU SCCs) for transfers of personal data outside of the UK, you should be aware of past developments, and, if you haven’t already done so, start preparing for the upcoming deadline.

What has already happened?

From 21 March 2022, the UK introduced the following documents for transfers of personal data outside of the UK:

  • the new International Data Transfer Agreement (IDTA); and
  • the new International Data Transfer Addendum (UK Addendum) to the European Commission’s new standard contractual clauses (new EU SCCs),

together, the IDTA and the UK Addendum are referred to in this article as, the ‘UK Transfer Documents’.

From that date, it became possible for organisations to start relying on the UK Transfer Documents for transfers of personal data subject to the UK GDPR.

While a grace period was established for existing contracts and data transfers, from 22 September 2022, organisations were required to use the UK Transfer Documents for any new arrangements involving international data transfers subject to the UK GDPR.

What deadline is approaching?

From 21 March 2024, any existing contracts which incorporate the old EU SCCs for transfers of personal data subject to the UK GDPR will need to be replaced by the UK Transfer Documents (or you will need to find another way to transfer personal data outside of the UK under the UK GDPR).

While that may seem far away, the clock is now ticking to get your house in order if your organisation is impacted.

What action do we need to take?

Based on our work advising clients on GDPR issues, many are struggling to come to terms with these changes.

If your organisation has not already prepared for previous developments, or the upcoming deadline, you should consider taking the following steps by 21 March 2024 to ensure compliance with the data transfers rules under the UK GDPR:

ActionWhy do we need to do this?

Conduct a threshold assessment
Have we conducted a threshold assessment of whether the UK GDPR or EU GDPR applies to us?

While the EU GDPR has been in operation for several years now (since 25 May 2018), we regularly assist clients who are not aware that the UK GDPR or EU GDPR may apply to them. However, the territorial scope of the UK GDPR and the EU GDPR is very broad, meaning that, even if you do not have an office in the UK or EU, the UK GDPR or EU GDPR may still apply you.

If the UK GDPR or EU GDPR does directly apply to you, there are many obligations which you need to be aware of, and comply with, and this includes the rules relating to overseas transfers. As such, it is important that you have conducted a threshold assessment to determine whether the UK GDPR or EU GDPR applies to you, or risk being in breach of the applicable privacy laws.

Conduct a data mapping exercise
Do we know what personal data we hold?

Given the rapidly evolving privacy landscape in Australia, you should already be conducting a data mapping exercise to understand what personal data your organisation holds and how it is collected, used, disclosed and stored. However, in order to ensure that you are complying with applicable privacy laws, this data mapping exercise should include an assessment of your international data transfers, including whether any personal data is being transferred outside of the UK or EU (such as, to Australia or other countries).

Familiarise yourself with the UK Transfer Documents
Do we understand what the UK Transfer Documents are and what obligations they contain?

It is one thing to ensure that you have properly implemented the UK Transfer Documents into the necessary contracts. However, it is another to ensure that your organisation is actually able to comply with the obligations set out in the UK Transfer Documents, and operationalise such obligations into your organisation. As such, depending on whether you are the party transferring the personal data outside of the UK (data exporter) or the party receiving the personal data outside of the UK (data importer) (or both, depending on the contract), you should ensure that your organisation is able to comply, from an operational perspective, with the obligations which apply to it under the UK Transfer Documents.

Implement new contractual arrangements
Have we implemented the UK Transfer Documents for new UK data transfers into our new contracts?

As we mentioned above, from 22 September 2022, organisations were required to use the UK Transfer Documents (instead of the old EU SCCs) into any new contractual arrangements which involve the transfer of personal data subject to the UK GDPR. As such, your organisation must ensure that any templates, systems and processes are updated accordingly so that your employees do not continue to incorporate the old EU SCCs into new contracts.

Review existing contracts
Have we reviewed our existing contracts?

You should review your existing contracts in order to identify all of those contracts that currently incorporate the old EU SCCs (and, therefore, will need to be updated to reflect the UK Transfer Documents).

NOTE: the old EU SCCs are also no longer valid for international transfers of personal data subject to the EU GDPR. As such, the old EU SCCs should no longer be used in any circumstances from 21 March 2024.

Develop a template for a Variation Agreement
Do we have a template Variation Agreement we can use?

While it may make sense for the parties to enter into an entirely new contract (for example, if the existing contract is due to expire soon or it is no longer fit for purpose), it may not make sense to do this and you may want the existing contract to continue. If this is the case, you should develop a template variation agreement which you can use to replace the old EU SCCs with the UK Transfer Documents in your existing contracts.

Contact contracting parties
Have we contacted our contracting parties?

Now that you have identified which contracts need to be updated (and you have a template variation agreement you can use, if relevant), you should contact the relevant contracting parties and alert them to the upcoming deadline so that the parties can amend their existing contract to replace with old EU SCCs with the UK Transfer Documents.

You should ensure that you commence this process with plenty of time to spare in advance of the deadline (noting that contracting parties may be slow to engage with you, or it may take some time to negotiate and agree the new contract or variation agreement).

Conduct a Transfer Risk Assessment
Have we conducted a data transfer impact assessment?

Before executing your contract incorporating the UK Transfer Documents, data exporters must be satisfied that the relevant data subjects continue to have a level of protection essentially equivalent to that under the UK GDPR. This means conducting a data transfer impact assessment (DTIA), to identify the risks associated with the transfer and whether additional safeguards are required to be put in place before the transfer is made.

If you are the data importer, you may need to assist the data exporter in conducting this DTIA (such as answering questions about the number of requests you have received from public authorities for access to personal data).

Execute the new UK Transfer Documents
Have we executed our variation agreements or new contracts?

Now that you have agreed the form of the variation agreement, or new contract, which incorporates the UK Transfer Documents and determined that you are able to conduct the transfer in accordance with the DTIA, you should ensure that the parties execute it before the deadline, and your organisation complies with the obligations applicable to it.

Keep updates with privacy reforms
Do we monitor and stay on top of privacy reforms?
The privacy landscape in many countries around the world (including the UK and Australia) is constantly evolving and it is important that organisations view privacy compliance as an ongoing issue. As we have seen from the recent developments in Australia, privacy is seen as an increasingly important issue for consumers and Governments alike so organisations should be taking it seriously and appointing internal stakeholders to monitor legislative changes and develop a clear compliance roadmap to deal with such changes

Do you have any questions?

If you have any questions or would like assistance with understanding or meeting your obligations under the UK GDPR or EU GDPR, please get in touch with our team.

Recent articles

Online Access