For UK GDPR Firms 

Who's my regulator? 

From a regulatory perspective, UK GDPR Firms should refer to guidance from the Information Commissioner's Office (ICO), as opposed to national regulators in the EU or the European Data Protection Board (EDPB) which includes representatives from all EU Member States. 

In practice, the ICO's guidance on various topics refers in various places to the EDPB's guidance and, as a result, the EDPB remains a helpful reference point. 

What are my options? 

Adequacy regulations 

As the European Commission has done under the EU GDPR, the ICO has published lists of countries that are subject to adequacy regulations. In addition to the European Economic Area (EEA) countries, Gibraltar, and the Republic of Korea, the countries benefitting from adequacy regulations are the same as those on the European Commission's list. When transferring personal data to organizations in these countries, businesses need not take any further steps to be compliant with the international personal data transfer requirements under the UK GDPR, unless and until those adequacy regulations are withdrawn. The UK-US Data Bridge is an extension to the EU-US Data Privacy Framework (EU-US DPF) and allows UK GDPR Firms to transfer personal data to organizations that have self-certified their compliance with the EU-US DPF. 

Binding Corporate Rules and Standard Contractual Clauses 

If no adequacy regulations apply, organizations will need to consider either the adequacy mechanisms under Articles 46 on transfers subject to appropriate safeguards or Article 47 on Binding Corporate Rules (BCRs). While BCRs carry a level of prestige in that they typically indicate an organization that has invested significantly in its data protection compliance program, they are time-consuming and expensive to put in place and therefore have not been widely adopted. 

This leaves organizations with the options specified in Article 46. While the UK GDPR codes of conduct and certification mechanisms remain possibilities, they are not widely used. By far, the most widely used Article 46 mechanism is the UK standard forms of data transfer agreement. These are: 

• the International Data Transfer Agreement (IDTA) which is a stand-alone UK form of data transfer agreement; and 
• the International Data Transfer Addendum to the European Commission's Standard Contractual Clauses for international data transfers (UK Addendum), which operates as a 'converter plug' for the EU Standard Contractual Clauses (SCCs) to enable them to work for UK GDPR Firms. 

Generally, UK GDPR Firms that are only based in the UK tend to use the IDTA, whereas UK GDPR Firms that are also subject to the EU GDPR (or that are in groups of companies to which the EU GDPR also applies) tend to use the UK Addendum, to help ensure uniformity of obligations across the board. 

Importantly, as well as using the above forms for future transfers, if not done already, UK GDPR Firms must complete the re-papering of their existing transfers by March 21, 2024. The majority of UK GDPR Firms are already well underway on this exercise. For those in a less advanced position, time is short and an efficient process is needed. 

Transfer Risk Assessments 

As is the case for organizations subject to the EU GDPR, UK GDPR Firms must carry out Transfer Risk Assessments (TRAs) for all of the transfers that they rely on an Article 46 or 47 adequacy mechanism.  

In short, TRAs involve assessing the laws in the country to which the personal data is transferred, as well as certain facts and circumstances relating to the transfer, such as whether or not the data is accessible by the importer, whether the importer has a history of government access requests, and the security measures in place. 

The ICO has created its own TRA tool which can be used to carry out TRAs. It focuses on human rights in the destination country as well as on individuals' ability to enforce the adequacy mechanism against the importer. 

Helpfully, the ICO also endorses the approach taken by the EDPB in relation to TRAs. Typically, international organizations wish to apply a one-size-fits-all process to their TRAs (including where these are required under other data protection laws such as those in China), and so the EDPB approach is widely adopted.  

Derogations 

In some circumstances, it is not practically possible to put in place the adequacy mechanisms above. 

For one-off or occasional transfers, it may be possible to rely on the narrowly drawn list of derogations from the requirements to put in place the adequate safeguards in Article 49 of the UK GDPR. The derogations include (by way of a non-exhaustive list of examples): 

• where the explicit consent of the relevant individual has been obtained; 
• where the transfer is necessary for important reasons of public interest - this may be the case when transferring data to a regulator, but would need closer examination on a case-by-case basis; or  
• where the transfer is necessary to establish whether a UK GDPR Firm has a legal claim or defense against a legal claim. 

Derogations are typically only relied upon in the context of engaging with the courts, regulators, or in relation to litigation.  

For organizations dealing with UK GDPR Firms 

For those dealing with UK GDPR Firms (such as suppliers to them), a ' head-in-the-sand' approach is likely to affect their ability to sign new customers up and/or will result in time and expense spent engaging with individual customer requirements. In other words, it is best avoided. 

Instead, the organizations that deal with UK GDPR Firms most effectively typically: 

• incorporate either the IDTA or UK Addendum into their contract templates to avoid prolonged discussions and negotiations with their customers, but if these are not intended to apply universally (for example, to customers that are not UK GDPR Firms), drafting can be included to make this clear; 
• produce customer-facing TRAs explaining the transfers that they carry out. These FAQ-style documents can help to save significant time and effort on both sides, provided that they avoid a 'rose-tinted' view of laws in importer jurisdictions; 
• benefit from the UK-US Data Bridge (if they are US-based); and/or 
• put in place a combination of the above (for example, a clause that provides that the UK-US Data Bridge applies unless and until it ceases to remain in force, at which point the IDTA or UK Addendum applies instead) which helps to cater for UK GDPR Firms who are wary about relying on the UK-US Data Bridge after the two predecessor schemes to the EU-US DPF (the Safe Harbor and the Privacy Shield) have been successfully challenged in court. 

What's on the horizon? 

A post-Brexit reform of UK data protection laws is under discussion through the Data Protection and Digital Information Bill No. 2 (Bill No. 2). However, it's not expected to impact the requirements in this area substantively. 

Summary 

For UK GDPR Firms and organizations dealing with them, the legal landscape summarized above will be helpfully familiar to that under the EU GDPR. However, some effort and organization are required to comply with them on an ongoing basis and to meet the imminent March 2024 deadline. 

Lawrence Brown Partner and Head of the Cross-Border Data Protection Group 
[email protected]  
Simmons & Simmons LLP, London