Brief recap of what the deadline is and what it applies to
By way of a reminder, 22 September 2022 marked the date from which UK businesses could no longer use the old EU standard contractual clauses (SCCs) for any new agreements entered into where personal data is transferred outside of the UK to another country (that is not of the EU or otherwise subject to an adequacy finding).
Old/Existing Contracts: For commercial contracts entered into before 21 September 2022 that utilise the old EU SCCs, UK businesses were granted a grace period before being required to change to an alternative transfer mechanism.
This grace period expires on 21 March 2024, following which EU SCCs are no longer valid within the UK, and one of the two following mechanisms will need to be used:
- The UK International Data Transfer Agreement (IDTA) – which is a standalone agreement or
- The UK Addendum to the EU SCCs (UK Addendum) amends the new EU SCCs for use within the UK in compliance with the UK GDPR.
What UK businesses need to do next
Noting that the deadline is just under two months away, UK businesses should (if not already done) be carrying out the following processes:
- Reviewing and identifying any existing agreements in place which allow for the transfer of personal data outside of the UK and which are still relying on the old EU SCCs;
- Varying any existing agreements which use the old EU SCCs to incorporate either the IDTA or the UK Addendum;
- Ensuring that any new agreements entered into incorporate the UK Addendum or the IDTA and are not subject to the old EU SCCs and
- Where applicable (where personal data is being transferred to a country deemed inadequate by the UK Government and will be relying on either the IDTA or the UK Addendum), carry out a transfer risk assessment (TRA). In such circumstances, the TRA is a mandatory requirement, and its purpose is to ensure that the personal data of individuals will be fully protected when it is sent to the relevant country outside of the UK.
How we can help
The Commercial Team at Myerson has extensive experience of advising businesses in order to ensure that any international transfers of personal data are made in complete compliance with UK GDPR and can provide assistance to businesses in the following ways:
- Assessing the position of the parties and advising on which of the transfer mechanisms is most appropriate;
- Assisting businesses with carrying out TRAs;
- Transitioning agreements which are still relying on the old EU SCCs to the most appropriate transfer mechanism (either the IDTA or UK Addendum) via variations;
- Updating any template agreements which businesses use to ensure that they incorporate either the IDTA or the UK Addendum and
- More generally, working with businesses to ensure compliance with the UK GDPR through carrying out data mapping exercises, gap analysis reports and data protection impact assessments.