UK International Data Transfer – new mechanisms now LIVE

30th March 2022digital data transfer image
Source: Pixabay

Do you transfer personal data outside of the UK?  If so, the UK’s new international data transfer mechanism might apply to you. 

But, I don’t send any data abroad” you might say, but are you sure? Where is your email marketing system or CRM company based? Many of the popular ones are outside of the UK so the new rules might apply to you. 

If you transfer data outside of the UK, the recipient countries will fall into two broad categories:- 

  1. A secure third country
  2. An insecure third country

A secure third country is a country which has a similar legislative framework in place to protect the data of UK citizens just as if it were processed in the UK. 

Originally these secure third countries were assessed by the European Union as being safe countries in which EU citizens’ data could be processed, and when the UK left the EU we simply adopted their decision. These countries were awarded an ‘adequacy decision’.   

The countries who have currently received an adequacy decision include: 

All countries within the European Economic Area plus :

AndorraArgentinaCanada (commercial organisations), Faroe IslandsGuernseyIsraelIsle of ManJapanJerseyNew ZealandRepublic of KoreaSwitzerland , the United Kingdom under the GDPR and the LED, and Uruguay as providing adequate protection” SOURCE: 

Insecure Third Countries are those countries in the rest of the world, who are not listed above and who the UK Government does not deem to have in place adequate data protection safeguards. 

Historically, when transferring data to an insecure third country you must put in place a Data Sharing or Data Processing Agreement which included EU GDPR Standard Contractual Clauses (SCC). 

However,  these clauses were written from an EU perspective and so in collaboration, the UK Information Commissioner and UK Government created their own version of the EU SCC. These are referred to as an International Data Transfer Agreement or IDTA and came into force on 21 March 2022. 

If the country you are transferring personal data to is OUTSIDE of the EEA or has not been awarded an adequacy decision then the new international data transfer mechanism applies to you. 

What has changed? 

Two new tools that were approved by the UK Parliament and are NOW in force. 

  1. A UK International Data Transfer Agreement (IDTA) and
  2. A UK Addendum for any agreements which contained the EU standard contractual clauses.

The UK International Data Transfer Agreement (UK IDTA) 

These agreements, basically, are all about ensuring that the country to which you are importing personal data offers an EQUIVALENT LEVEL OF PROTECTION to that which we offer via the UK GDPR.  The agreements ensure that these obligations are passed on to the overseas party receiving the data. They in essence embed the key tenets, principles and rights contained within the UK GDPR into an enforceable contract. 

You must also remember the issues raised by Schrems II Case whereby the European Court of Justice required that you (the exporter) do a data risk assessment on the country to which you are transferring the personal data (the importer).  Apart from the UK Controller performing their own due-diligence on the legal framework of the country to which they wish to export data, to further assist with this double due-diligence some of the clauses within the IDTA place the onus upon the data importer to inform the Controller if there are any laws in the country which may interfere with the privacy rights of data subjects. For example, they must inform the Controller (exporter) if the government in the third country can demand that the importer hand over copies of any data held by them. 

The good news here is that the ICO has suggested that they will be releasing a ‘risk assessment tool’ to help with this. 

You can access the UK International Data Transfer Agreement via the ICO website here. 

The Addendum 

The EC created a new set of Standard Contractual Clauses (SCCs) for the EU GDPR in June 2021.  These SCCs were for the transfer of personal data outside of the EU to countries without an Adequacy Decision.  Of course, by that time, as we know, the UK was itself outside of the EU. 

(Just for clarity, the United Kingdom was granted an Adequacy Decision by the EU in June 2021 – you can read more about that in our blog here) 

Until now, data exporters from the UK have been relying on EU based SCCs.  If this is you, you may find the following checklist helpful: 

  1.          Are you solely exporting data from the UK?  If so, use the new UK IDTA. 
  2.          Does your organisation have interests in Europe and therefore you are also exporting personal data from within the EU?  If so, use the EU Standard Contractual Clauses with the new UK Addendum. 

This new UK Addendum basically aligns the EU SCCs with the UK GDPR and UK law. 

You can find the Addendum for your use on the ICO website here. 


Both the UK IDTA and the new UK Addendum came into force on March 21st  2022.  However things to be aware if you want to transfer personal data outside of the UK:- 

  • You can continue using the old EU SCCs for new contracts until September 2022.
  • After 21 September 2022 you MUST use either the UK IDTA or the EU SCCs with the UK Addendum for new contracts.
  • Existing contracts (ie those already in place and proving no material changes take place) using the old EU SCC’s can remain as such until March 2024 – then you must conform to one of the new mechanisms.

Please visit the ICO website to download the actual mechanisms that you need to use. 

Wondering “How do I transfer personal data outside of the UK now that these new mechanisms are live?”  Need a bit more help or advice? Please do take advantage of your complimentary thirty-minute data protection consultation.  The specialists here at the Griffin House Consultancy are here to help you. 

  Yes please! I have a question >> Book your complimentary consultation << 

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.