Third Countries and Data Sharing

At DPAS we recognise that the way we transfer personal data to Third Countries has changed. That is why we have established a new Division which concentrates on delivering the new EU Standards Contractual Clauses, Transfer Impact Assessments and the new UK International Data Sharing Agreements.

UK Data Protection International Data Sharing Agreement (UKIDTA)

The UK Data Protection regulator has laid a copy of the proposed International Data Sharing Agreement (or UKIDTA for short), before parliament. This is the UK equivalent of the new EU Standard Contractual Clauses (SCC), which came into force on the 27th June 2021.

To put it simply, transferring personal data from the UK to a Third Country which is either outside of the EU, or deemed not to meet the adequate standards[1] of protection for personal data, will require a UKIDTA as part of the transfer safeguard – if the safeguards in UK/EU GDPR article 46[2] are not available. The intention is that you only use a UKIDTA for data transfers out of the UK. The countries in scope include the likes of India, China, and South Africa.

When set alongside the European Union’s new SCCs (which have to be in place by the 27th of December 2022), the UK version is much slimmer and less detailed than the EU equivalent. It is not helpful when you have international transfers that involve multiple jurisdictions.  Data Controllers are, therefore, more likely to use the current EU SCCs with the helpful addendum that the ICO produced to support multiple jurisdictions UK/EU Third Country transfers. 

Transfer Impact Assessment (TIA)

Alongside the UKIDTA and the SCCs, Data Controllers are required to have a Transfer Impact Assessment (TIA) in place to demonstrate compliance. The EU has stated that the purpose of this document is to ensure that the processing host country has a regime that recognises the individual rights to privacy afforded to UK/EU citizens. The responsibility lies with the Data Exporter to assess the laws of the third country; they must also determine who the local Data Protection Authority is in the third country, if any, and whether there are any form of laws, regulations and practises committed to data protection in place.

We have just undertaken two-country assessments for UK/EU-based Data exporters and produced a TIA which gives a risk-based analysis of these countries.  Whilst the ICO have yet to produce a formal template TIA, they have published a helpful list of questions that need to be researched on the importing country.

Having helped global clients through this process, we have developed a fairly slick process to turn around TIAs efficiently and of course, as we build the database, we will be better placed to shorten the route to delivery. 

So, what are the key UK dates?

  • The new IDTAs take effect on 21 March 2022 (Parliamentary approval required) these can be used with immediate effect.
  • The old SCCs can be used up to 21 March 2024 provided they are in place by 21 September 2022 but if processing has changed you will need a new set. After this date, all contracts require an IDTA.
  • Any remaining SCCs to IDTAs is 21 March 2024.

The EU position is:

All new contracts after 27th September 2021 have to include the new SCCs and a TIA.  As for existing contracts, under the old SCCs controllers and processors can continue to rely on those earlier SCCs for contracts that were concluded before 27 September 2021, up until 27 December 2022, provided that the processing operations that are the subject matter of the contract remain unchanged.

We have experience in delivering both the new SCCs and developing bespoke TIAs for Global organisations and we would be delighted to assist you in delivering your compliance requirements. 

To find out more about how our new division can help you, click the link below:

https://www.dataprivacyadvisory.com/services/international-data-transfers/

Alternatively, contact us at info@dataprivacyadvisory.com or call the office at 0203 3013384.

Nigel Gooding LLM FBCS

#keepattacking

References:

[1] The current countries deemed as adequate by the UK and EU are Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan (private-sector organisations only), Jersey, New Zealand, Switzerland and Uruguay.

[2] https://gdpr-info.eu/art-46-gdpr/

related posts

Jack Penaligon

How to Respond to a Data Breach: A Practical Guide

This blog provides an overview of the practical steps organisations can take to reduce the impact of a data breach once it has been identified. It focuses on the actions that should be taken during the early stages of an incident to contain the breach, protect affected individuals, and meet regulatory requirements.

The article discusses a range of mitigation measures, including contacting unintended recipients of personal data, securing the deletion or recovery of exposed information, isolating compromised systems, and maintaining clear records of actions taken. It also explores the challenges posed by both digital and physical data breaches, highlighting the importance of balancing operational needs with data protection obligations.

Finally, the blog emphasises the value of preparation, explaining how established procedures, communication templates, and predefined response plans can help organisations respond more effectively and demonstrate accountability during a regulatory investigation.

Read More »
Noah de Wild

How to Assess a Data Breach: A Practical Guide

This blog explains how to assess a data breach by identifying its cause, determining what information was exposed, and evaluating the potential impact on affected individuals and the organisation. It outlines common causes of breaches, the importance of understanding the type and scale of compromised data, and how assessing the timeline of an incident can help businesses respond effectively, meet legal obligations, and reduce long-term risks.

Read More »
Noah de Wild

Don’t Panic: A Pragmatic Guide to the June 2026 Enforcement of the Data (Use and Access) Act Changes

With the June 19, 2026 enforcement of the Data (Use and Access) Act approaching, ensuring your business is compliant doesn’t have to be complicated or expensive. In our latest guide, we break down exactly what the new data protection complaint rules mean for you. Cut through the noise and discover our simple, free six-step checklist to update your protocols, designate handlers, and keep your business confidently compliant.

Read More »

Get a Free Consultation