On February 2, 2020, the U.K.’s Information Commissioner’s Office (ICO) presented final versions of the following documents to Parliament: International Data Transfer Agreement (IDTA); an addendum (Addendum ) to the EU’s standard contractual clauses for international data transfers; and an additional document laying out transitional provisions. If there are no objections from Parliament, changes to international data transfers as described in these documents will take effect on March 21, 2022.
The need for the Agreement and Amendments originated with Brexit, and the IOC began soliciting public commentary last year.
Upon acceptance by Parliament, the IDTA allows the UK to adhere to the EU’s General Data Protection Regulation (GDPR) requirements, and its own Data Protection Act of 2018. Once in force, data transfers in and out of the U.K. will have protections and procedures equivalent to the EU’s standard contractual clauses (SCCs). In a blog post from the ICO, a spokesperson said:
The IDTA and Addendum are written with the aim of helping organizations ensure they have the correct protections in place when transferring people’s data outside of the UK to countries not covered by adequate decisions. Applying high standards of data protection to global data flows is essential in maintaining people’s trust in this ecosystem.
That may sound straightforward, but Linnea Solem (Solem Risk Partners), a retired Chief Privacy Officer and industry expert, offers a note of caution:
“Adopting the EU’s Standard Contractual Clauses (SCCs) or the UK’s International Data Transfer Agreements for new and existing data processor relationships is a much larger undertaking than simply updating contracts. The changes put a spotlight on both data governance and enforcement of data protection safeguards that impact the governance model and policies in a TPRM Program.”
Included in the IOC’s announcement are five PDFs that will be useful to organizations involved in the transfer of data outside the U.K., beginning with the IDTA, which is thirty-six pages long and comprised of four parts:
Part 1 has four sections requiring (1) the names, signatures, and contact information for participating parties, (2) transfer details, (3) details about the data transferred, and (4) security requirements. Part 4, Mandatory Clauses, is the lengthiest section. It has information to help the reader understand the IDTA, how to complete it, and includes a five-page legal glossary about how words and phrases “must be interpreted in the IDTA.”
Solem notes that for TPRM practitioners managing GDPR compliance is complex for outsourcers and service providers that must adopt new contract provisions and ensure that due diligence processes align to the strengthened obligations for third party risk management. CPO magazine points out the IDTA began as “essentially a copy” of the EU’s GDPR but changed as it developed and departs from the EU’s SCCs in a number of ways, which Weil Gotshal points out on Lexology:
Tom Garrubba, Vice President at Shared Assessments notes that besides including effective and enforceable data subject rights, the IDTA contains appropriate safeguards for the transferred data, adding, “Since these are enforceable, it’s extremely important that both the outsourcer and processor are able to achieve the agreeable conditions (e.g., the security and privacy controls) over data transfers.”
Solem points out data governance is front and center with the guidance on international data transfers from the UK ICO. “Organizations that need to comply with both GDPR and the UK’s requirements need to build out their operational plans and bring together a strong understanding of the relationship between contracts, vendor management and privacy” For additional background and perspective, read Solem’s post about Data Privacy Day last month on the Shared Assessments blog, which includes her thoughts on the EU/GDPR aspect of Standard Contractual Clauses.