The UK GDPR currently governs data processing within the UK. Adequate data protection safeguards or adequacy regulations, as determined by the UK, are a prerequisite to any transfer of UK personal data to a ‘third country’. You can find the list of countries and territories with adequacy or partial adequacy status here.
If there is no adequacy regulation in place for the country or territory that you want to transfer personal data to, then you need to determine whether you can make the transfer subject to ‘appropriate safeguards’.
UK organisations will need to ensure that their data processing uses one of the appropriate safeguards as listed in Article 46 of the UK GDPR in order to continue the transfer to a third country. These are also known as Article 46 transfer mechanisms. Two of the most relevant safeguards for businesses are Binding Corporate Rules and standard contractual clauses.
Binding Corporate Rules may be appropriate for intra-group transfers. For UK organisations wanting to send data to external organisations, located in a third country without an adequacy decision in place, then standard contractual clauses, implemented in the UK as the International Data Transfer Agreement (IDTA) and the International Data Transfers Addendum, will be more appropriate.
Before you rely on an Article 46 transfer mechanism, you may need to conduct a transfer risk assessment. You can find more about transfer risk assessments (TRAs) here and access the ICO’s TRA tool here.
Further information on international data transfers can be found here. Again, if you have any specific questions, we recommend you seek the advice of a legal adviser.
