Back
Frequently Asked Questions

UK: Should I be concerned with transferring data internationally?

The UK's implementation of the General Data Protection Regulation (Regulation (EU) (2016/679) as the “UK GDPR”, allows for transfers of personal data outside of the UK, so long as rights with respect to an individual’s personal data are protected. It is common practice for companies to engage third-party vendors for a variety of reasons e.g., cloud hosting services, application development, HR and IT support and/or obtaining SaaS products. It is likely that some of these third-party vendors will be established outside of the UK and therefore that personal data will be transferred internationally. 

Where your company is transferring personal data to international third-party vendors, you will need to ensure that you are protecting the rights of individuals with regards to their personal data. You should seek to protect these rights by entering into a contract with the third-party (either a Data Processing Agreement or Data Sharing Agreement, depending on the nature of the transfer of personal data). This contract will need to make reference to the appropriate international data transfer mechanism, which in practice will be either:

  1. transferring personal data on the basis of an adequacy decision i.e., to those jurisdictions recognised by the UK Secretary of State as providing adequate protection of personal data (a list of these jurisdictions can be found here) (an “Adequate Jurisdiction”); or
  2. transferring personal data on the basis of other appropriate safeguards, if personal data is being transferred to a jurisdiction that is not considered to be an Adequate Jurisdiction. In the UK, you will need to incorporate either the UK’s standard data protection clauses (the International Data Transfer Agreement or IDTA) or, if your company also operates in the EU, the Addendum to the EU’s standard contractual clauses. A transfer risk assessment will also need to be undertaken to ensure the recipient of the personal data is able to provide a level of protection of the personal data that is essentially equivalent to that under the UK GDPR.  

Learn More: UK Founder Series: Compliance Matters

Related FAQs