Products
By Use Cases By Roles
Data Command Center
View
Learn more

AI Security & Governance

Discover, assess, and safeguard AI usage

Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle

Learn more

Compliance Management

Automate Compliance with Global AI and Data Frameworks using Common Controls and Tests
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

AI Security & Governance

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

AI Security & Governance

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View

AI Security & Governance

View

Compliance Management

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

The UK International Data Transfer Agreement (IDTA) Explained

UK International Data Transfer Agreement banner

Published May 16, 2022

The United Kingdom's exit from the European Union meant that all UK laws that were based on EU regulations are being reviewed. There were a plethora of agreements, treaties, and laws that were intertwined between the two, and now they would require a reassessment.

It wasn't long until the question of data transfers came up. At first, data protection was one of the lesser affected areas post-Brexit as the UK’s 2018 Data Protection Act broadly mirrors the GDPR in various aspects. As far as the law's implementation is concerned, there are several roles the European Commission and European Data Protection Board (EDPB) had that are now under the UK government and the Information Commissioner's Office (ICO).

The UK parliament has since published papers suggesting changes to this law and over time we can expect changes to be made.

In February 2022, the Secretary of State of the UK presented the international data transfer agreement (IDTA) before the Parliament. It came into effect the following month.

What is the IDTA? How does it relate to the Schrems II judgment? And most importantly, how does it affect the current data arrangement between the UK, EU and non-EU jurisdictions?

Brief Background

As per Article 46 of the GDPR, data transfers outside the European Economic Area (EEA) can take place only to adequate countries, i.e., countries where an adequate level of data protection is ensured. For data transfers to non-adequate countries, appropriate safeguards need to be in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the European Union. These safeguards include Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs) and ad-hoc contractual clauses.

In 2020, the Court of Justice of the European Union issued its verdict in the Schrems II case that invalidated the European Commission’s EU-US Privacy Shield arrangement but upheld the use of the SCCs to transfer data securely outside the EU. For SCCs to be valid however, data exporters are required to review the legal regime of the country data is transferred to. Hence, now organizations must carry out a transfer risk assessment to assess if the SCCs are an effective protection for the transferred data and undertake supplementary measures to protect the data further based on their assessment.

In June 2021, the European Commission published new SCCs to address the deficiencies identified in the Schrems II judgment primarily. While it came into effect across the EU, the UK had already left and did not implement the SCCs.

The International Data Transfer Agreement (IDTA) Introduced

For transfers from the UK to non-adequate third countries (mostly countries not in the EEA), the ICO has released the International Data Transfer Agreement (IDTA) and draft guidance on transfer risk assessments. The IDTA is considered to be a replacement of former SCCs and facilitates transfers from the UK to non-adequate third countries.

Starting in August 2021, the ICO released the IDTA for public consultation. Despite the name's suggestion, the IDTA is effectively the UK's version of SCCs.

An additional addendum amends the new EU SCCs, to aid data transfers from the UK to countries that do not have equivalent data protection laws.

Lastly, there are transitional provisions that are to be followed for the next couple of years until more concrete legislation on the matter is done.

There are a fair amount of similarities between the IDTA and the EU's new SCCs, such as exhaustive contractual obligations for both the exporters and importers of data internationally. Crucially, the IDTA considers the Schrems II judgement by placing several obligations upon both the importers and exporters of data to and from the UK.

The transitional provisions mentioned above allow organizations following the old SCCs before 21 September 2021 to continue making international data transfers until 21 March 2024. However, this requires that an organization enter an obligation not to change its processing operations during this period and take the appropriate measures to ensure they comply with the IDTA by 21 March 2024.

IDTA vs. EU SCCs

So, how different is the IDTA from the new EU SCCs?

Many of the differences between the two are superficial such as the IDTA being shorter and the language used is more "user-friendly" than that of the new EU SCCs.

There are various practical differences as well. Some of these include the following:

Format

The IDTA does not follow a modular format like the one prescribed in the new SCCs.

The new EU SCCs consist of modules of processor obligations related to data transfers, such as data controller to a data processor, data processor to sub-processor, processor-to-processor, and processor-to-controller contracts. These modules facilitate the implementation of Article 28 of the GDPR.

The IDTA instead introduces a "linked agreement". If a data importer is a processor or sub-processor, they must have a linked agreement in place in line with the IDTA provisions.

Disputes

Another critical difference between the two is the provision in the IDTA that allows parties to resolve disputes by arbitration, with termination provisions in the Addendum and the main IDTA.

The ICO guidance on international transfer and transfer risk assessment is similar to the one issued by the EDPB with some minor differences. The UK approach consists of the same three steps as required by the EDPB when assessing a transfer:

Assess the particular transfer,
Assess the legal protections offered by the third country, and
Assess the potential impact on the data subjects of the transfer and any risk of harm to data subjects you identify.

Scope

The ICO clearly communicated that organizations could choose whether they want to use the Addendum or the IDTA when making international transfers.

The IDTA is an appropriate safeguard that incorporates and modifies the new EU SCCs accordingly to ensure all incoming and outgoing data transfers are afforded proper protection in countries that do not have an adequacy decision.

Alternatively, organizations may opt for using the Addendum since it allows them to use the EU SCCs when making transfers from the EU and additionally, the Addendum when making transfers from the UK at the same time.

The latter approach will appeal to organizations that want a more straightforward drafting process since they offer simpler contractual provisions between the EU and the UK. Moreover, organizations with experience in dealing with the new SCCs may find it more attractive than complying with the UK IDTA since it allows for a more streamlined approach.

Flexibility of Use

This is more of an extension of the aforementioned difference. The IDTA has been designed keeping in view the data transfer requirements of the UK. At the same time, the Addendum allows organizations to continue using the EU SCCs themselves to cover both transfers.

For organizations with a global presence that requires frequent transfers of data in and out of the UK, the EU, and any third country, the IDTA would be the more cumbersome option compared to the Addendum.

That being said, for organizations that will primarily be transferring data only from the UK to a third country, the IDTA may seem like the better option owing to its linked agreement provision, arbitration clauses, and the more user-friendly text.

How Can Securiti Help?

The IDTA will require organizations to assess data flows from the UK to non-adequate third countries.

Naturally, the sheer volume of data involved in such an exercise renders an incredibly arduous task. However, that's where Securiti can be of help.

Securiti is a market leader in providing enterprise solutions in data governance and data compliance. Thanks to its state-of-the-art artificial intelligence and machine learning algorithms, it can resolve your compliance-related issues at the click of a button.

Securiti offers an all-encompassing and comprehensive Schrems-II solution to enable companies to conduct effective cross-border data transfer risk assessments, identify and review data transfers and remediate discovered vendor risks as per the applicable legal requirements. Securiti can show data transfers between the UK and other jurisdictions, allowing you to evaluate data movements. Securiti provides assessment automation, vendor risk assessment, and reporting to audit how your systems comply with The IDTA.

Request a demo today and see how Securiti's tools can help you achieve compliance with both the IDTA and the new SCCs.