As a company, we’ve been asked a lot about the impact of Brexit on UK data protection. For the boots on the ground, the changes have not felt particularly significant. The Data Protection Act, including the UK GDPR, governs our compliance in a very similar manner and we still need to ensure the integrity and security of our data all the same. The one area you may spot some changes is data transfers. As stated by the ICO, UK transfer rules “broadly mirror the EU GDPR rules”, but the UK now has sovereignty to change these rules.
Which is exactly what the UK has done. On the 21st of March, the UK’s new International Data Transfer Agreement (IDTA) came into effect, alongside an addendum to the EU’s latest Standard Contractual Clauses (SCCs). These provisions replace the current SCCs for international transfers.
Why do we need the IDTA?
In 2020, the ECJ announced the “Schrems II” judgement. A judgement on case C-311/18 (‘Data Protection Commissioner v Facebook Ireland and Maximillian Schrems’). The result of this case invalidated the EU-US privacy shield, and cast doubt on the use of SCCs to transfer data.
In principle, SCCs still provide an acceptable safeguard for transfers of personal data, but they now require additional work. Since Schrems II, both the EU and the UK have been working on new safe mechanisms for data transfer. For the UK, that new mechanism is the IDTA.
When to use the IDTA
Much like SCCs, and the now-defunct EU-US Privacy Shield, the IDTA is used when organisations want to transfer data to territories not covered by adequacy regulations, with weaker data protection provisions. The IDTA acts as a contract between the organisations sharing data. The organisation receiving data is not held to the same strict standard of privacy and security as the organisation sending the data, so they must agree to treat the data as if they were regulated by the UK Data Protection Act. This ensures that an individual’s personal data receives equal protection outside the UK, as it would inside the country.
What does the IDTA mean for schools, colleges and trusts?
For schools, colleges and trusts, you’ll need to look at your current contracts. You’ll also need to review any new contracts you wish to enter. These changes only affect contracts with suppliers outside the EEA, without cover from an adequacy agreement. So, first of all, double check where a supplier processes and stores data.
The ICO are still publishing new guidance regarding the IDTA, but it is already available for immediate use. All contracts beginning after the 21st September 2022 will need to use the IDTA, or the IDTA addendum, so when looking at suppliers in third countries such as the USA, it’s worth implementing the IDTA (or its addendum) now, rather than using legacy SCCs.
Additionally, schools, colleges and trusts will need to look at their current contracts, as from 21st March 2024, they’ll need to rely on the IDTA, and not “old” SCCs. It’s worth making note of when your current contracts end. That way, you have enough time to discuss and implement changes with your suppliers, without a break in service provision.