Brexit and European case law created a need for new standard contractual clauses in the UK (the “new UK SCCs”), which came into effect on March 21, 2022.

International transfer of personal data is on the mind of every global organisation today. You should be familiar with the European Commission’s new Standard Contractual Clauses (the “new EU SCCs”) implemented on September 27, 2021, and updated in existing agreements by December 27, 2022. The new EU SCCs are not valid for transfers to which the UK GDPR applies.

The UK’s new International Data Transfer Agreement (IDTA) and the UK Addendum to the new EU SCCs are, in a nutshell, the “UK version” of the new EU SCCs. (To review the IDTA and the UK Addendum on the Information Commissioner's Office website, please click here.) The IDTA and the UK Addendum are of immediate use to organisations transferring personal data from the UK to countries not covered by the UK adequacy regulations. Organisations need to use either the IDTA or the UK Addendum to comply with Article 46 of the UK GDPR requirements. 

When considering the new UK SCCs:

  • Use the IDTA or the UK Addendum when transferring personal data from the UK to countries not covered by an adequacy decision (data flow from the UK to EU/EEA remain unaffected).
  • Put together a team to assess the advantages and disadvantages of using IDTA or the UK Addendum. 
  • Always conduct a Transfer Risk Assessment (TRA) before any transfer, whether you use the IDTA or the UK Addendum.
  • Prepare to use the IDTA or the UK Addendum when entering into new arrangements for transfers subject to the UK GDPR after September 21, 2022.
  • Replace existing agreements for UK transfers based on the EU SCCs by March 21, 2024. 

Global companies transferring personal data subject to both the EU GDPR and the UK GDPR need to implement a strategy to ensure appropriate safeguards are in place. Please contact us to discuss how Elevate can support you in these efforts.