International data transfers: UK GDPR requirements

If your business sends personal data outside the UK, you must ensure adequate protections are in place. This applies whether you're transferring customer data to a cloud provider, sharing employee information with an overseas office, or using third-party services hosted abroad.

UK GDPR Chapter V sets out the rules for restricted transfers - transfers of personal data to countries outside the UK that don't have equivalent data protection standards. You cannot simply send personal data anywhere in the world; you need a lawful mechanism to do so.

When these rules apply

You're making a restricted transfer if you send personal data to:

• A country outside the UK (and EEA) without an adequacy decision
• An international organisation
• A cloud service provider whose servers are located outside the UK
• A subsidiary, branch, or partner in another country

Note: Transfers within the UK, and to the EEA (EU plus Iceland, Liechtenstein, Norway), are not restricted transfers.

Step 1: Check if the destination has an adequacy decision

The easiest way to transfer personal data outside the UK is to a country with an adequacy decision. This is a formal recognition by the UK government that a country provides an equivalent level of data protection to the UK.

If a country has an adequacy decision, you can transfer personal data there without additional safeguards - it's treated like a transfer within the UK.

Step 2: Use appropriate safeguards if no adequacy decision

If transferring to a country without an adequacy decision, you must implement one of the following safeguards:

Standard Contractual Clauses (SCCs)

SCCs are the most widely used mechanism for international transfers. They are pre-approved contract terms that bind the data importer to protect personal data to UK standards, even if local law is weaker.

Types of SCCs:

• Controller to Controller (C2C): When you share data with another organisation that decides how to use it
• Controller to Processor (C2P): When you send data to a service provider that processes it on your behalf
• Processor to Processor (P2P): When a processor engages a sub-processor
• Processor to Controller (P2C): Less common - when a processor sends data to a controller

You must select the appropriate module based on your relationship with the recipient.

UK International Data Transfer Agreement (IDTA)

The IDTA is the UK's own transfer mechanism, approved by the ICO in March 2022. It's designed specifically for UK GDPR and can be used as a standalone document.

When to use the IDTA:

• You're a UK-based organisation making transfers for the first time
• You want a single, simpler document instead of adapting EU SCCs
• You're setting up new vendor relationships

Key features:

• Tables to complete with transfer details (parties, data types, safeguards)
• Mandatory clauses that cannot be amended
• Some optional clauses that can be tailored
• Clear allocation of responsibilities between exporter and importer

UK Addendum to EU SCCs

If you already have EU SCCs in place (for EU GDPR compliance), you can add the UK Addendum to extend their coverage to UK data transfers. This is often simpler than adopting a completely separate IDTA.

When to use:

• You already have EU SCCs with a vendor
• You need to cover both EU and UK transfers to the same recipient
• Your vendor prefers to work with SCCs they're familiar with

The UK Addendum is a short document that references the EU SCCs and modifies them for UK law.

Step 3: Conduct a Transfer Risk Assessment (TRA)

Even with SCCs or an IDTA in place, you must assess whether the safeguards will work in practice. This is called a Transfer Risk Assessment (sometimes called a Transfer Impact Assessment).

You must assess:

• The laws of the destination country - could local authorities access the data?
• Whether the contractual protections can be enforced in that country
• The specific circumstances of your transfer (sensitivity of data, volume, recipient)
• Whether supplementary measures are needed to plug any gaps

Supplementary measures

If your TRA identifies risks that SCCs/IDTA alone cannot address, you may need to implement supplementary measures:

• Technical measures: End-to-end encryption (where you control the keys), pseudonymisation, split processing across jurisdictions
• Contractual measures: Additional audit rights, transparency reporting, commitments to challenge government access requests
• Organisational measures: Due diligence on the importer, staff training, governance policies

If no combination of safeguards and supplementary measures can adequately protect the data, you should not make the transfer.

Exemptions (derogations)

In limited circumstances, you can transfer personal data without adequacy or safeguards. These exemptions should be used sparingly and do not allow for regular, repetitive transfers.

Using exemptions correctly

Explicit consent is commonly misunderstood. It requires:

• Clear, specific information about the destination country and risks
• An affirmative action from the individual (not pre-ticked boxes)
• The individual must have genuine choice - consent isn't valid if they have no alternative
• Easy withdrawal of consent at any time

Contract necessity must be genuinely necessary, not just convenient. You cannot rely on this exemption if you could perform the contract without the transfer (e.g., using a UK-based provider instead).

Exemptions are not a general solution. They're designed for occasional, specific transfers - not for routine business operations like using overseas cloud services or sending employee data to a foreign head office.

Penalties for unlawful transfers

Transferring personal data outside the UK without appropriate safeguards is a serious breach of UK GDPR. It falls under the higher tier of penalties.

Practical compliance checklist