The UK International Data Transfer Agreement (IDTA) Explained

Brief Background

As per Article 46 of the GDPR, data transfers outside the European Economic Area (EEA) can take place only to adequate countries, i.e., countries where an adequate level of data protection is ensured. For data transfers to non-adequate countries, appropriate safeguards need to be in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the European Union. These safeguards include Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs) and ad-hoc contractual clauses.

The International Data Transfer Agreement (IDTA) Introduced

For transfers from the UK to non-adequate third countries (mostly countries not in the EEA), the ICO has released the International Data Transfer Agreement (IDTA) and draft guidance on transfer risk assessments. The IDTA is considered to be a replacement of former SCCs and facilitates transfers from the UK to non-adequate third countries.

IDTA vs. EU SCCs

So, how different is the IDTA from the new EU SCCs?

Format

The IDTA does not follow a modular format like the one prescribed in the new SCCs.

Disputes

Another critical difference between the two is the provision in the IDTA that allows parties to resolve disputes by arbitration, with termination provisions in the Addendum and the main IDTA.

  1. Assess the legal protections offered by the third country, and
  2. Assess the potential impact on the data subjects of the transfer and any risk of harm to data subjects you identify.

Scope

The ICO clearly communicated that organizations could choose whether they want to use the Addendum or the IDTA when making international transfers.

Flexibility of Use

This is more of an extension of the aforementioned difference. The IDTA has been designed keeping in view the data transfer requirements of the UK. At the same time, the Addendum allows organizations to continue using the EU SCCs themselves to cover both transfers.

How Can Securiti Help?

The IDTA will require organizations to assess data flows from the UK to non-adequate third countries.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store