Search

UK data protection regime: updates to consider

Since the start of 2021, the UK data protection regulatory regime has seen substantial changes, in particular for data transfers. The UK has now adopted its own version of the GDPR (known as the ‘UK GDPR’), and is in the process of introducing its own international transfer mechanism (the ‘International Data Transfer Agreement’ or ‘IDTA’) to enable organisations to legitimise data transfers to third countries. The IDTA is due to come into force on 21 March 2022.

Recent changes to the UK data protection regime mean that organisations should take the following key steps:

  • Decide whether it is necessary to appoint an EU data protection representative (an ‘EU Rep’). This is required if an organisation a) is located outside of the EEA (which UK organisations now will be for the first time); b) has no offices, branches or other establishments in the EEA; and c) is offering goods or services to individuals in the EEA, or monitoring their behaviour.
  • Review existing data protection policies and privacy notices and update these to refer to the UK GDPR, either instead of, or as well as, the EU GDPR. If an organisation has appointed an EU Rep their contact details will also need to be included within privacy notices.
  • Review international data transfers, ensure that transfer risk assessments have been completed and update data transfer mechanisms.
  • Where there is a transfer of personal data which is subject to the EU GDPR, organisations should transition arrangements from the previous version of the EU’s Standard Contractual Clauses (SCCs) onto the new version which came into force on 4 June 2021. Note that all such arrangements which are reliant on the previous EU SCCs need to be transitioned to the updated 2021 version by 27 December 2022.
  • Where there is a transfer of personal data which is subject to the UK GDPR, once the IDTA comes into force, organisations should incorporate this into relevant arrangements, in place of the old EU SCCs. Alternatively, if an organisation is transferring personal data which is subject to both the EU GDPR and UK GDPR, it can use the new EU SCCs along with the UK Addendum. The UK Addendum has been published to extend the protection of the EU SCCs for the benefit of UK personal data, to enable organisations to use one data transfer mechanism rather than having to sign both the EU SCCs and a separate full UK IDTA. Note that organisations have until 21 March 2024 to transition existing arrangements onto the IDTA (or the UK Addendum to the EU SCCs).

If you have any further queries, please contact our Data Protection team.

Send us a message