Latest News

UK SMEs Urged to Update International Data Transfer Arrangements by 21st March 2024

20th March 2024

In a significant development for UK small and medium-sized enterprises (SMEs), a crucial deadline looms on the horizon. Businesses reliant on standard contractual clauses for international data transfers must update their arrangements to comply with new regulations by the 21st of March 2024.


The deadline mandates that UK businesses currently utilizing standard contractual clauses for international data transfers must transition to either the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the new EU Standard Contractual Clauses. Failure to adhere to this deadline could result in potential legal ramifications and interruptions to business operations.


The regulatory shift stems from the evolving landscape of data protection and privacy regulations, particularly in the wake of the UK’s departure from the European Union. As part of its post-Brexit data strategy, the UK government has introduced measures to ensure the continued flow of data between the UK and the EU while upholding high standards of data protection.


The UK Data Protection Regulation 2018 (UK GDPR) contains restrictions on international data transfers. Personal data being transferred outside of the UK must be adequately protected by using the following appropriate measures:


  • Adequacy decision;
  • Binding corporate rules;
  • Approved code of conduct; or
  • Standard contractual clauses.


The introduction in March 2022 of the UK International Data Transfer Agreement (IDTA) and the UK Addendum to the new International Data Transfer Addendum (Addendum) to the new European Commission’s Standard Contractual Clauses (old EU SCCs) by the ICO reflects the UK’s commitment to facilitating seamless data transfers post-Brexit. The ICO granted a grace period until 21st March 2024 for UK businesses to update their existing data transfer arrangements to use either IDTA or Addendum to comply with UK GDPR.


Non-compliance with the new regulations at the end of the grace period, could expose UK businesses to various risks, including fines, legal disputes, and reputational damage. Moreover, failure to update data transfer arrangements may disrupt business operations, particularly for companies engaged in cross-border activities reliant on the seamless flow of data.


The ICO has the power to impose fines of up to £17.5 million or 4% of the total annual worldwide turnover (whichever is higher) on non-compliant businesses. To mitigate these risks and ensure compliance, UK businesses are advised to take immediate action. This involves conducting thorough reviews of their international data transfer arrangements by using the ICO Transfer Risk Assessment guide or consulting data protection experts where necessary, and implementing necessary changes to meet the deadline.


This serves as a critical milestone for UK businesses operating in an increasingly regulated environment. By prioritizing compliance with the new data transfer regulations, businesses can uphold data protection standards, maintain international partnerships, and sustain uninterrupted operations in an evolving digital landscape.


Failure to act swiftly could expose businesses to significant risks and hinder their ability to thrive in an interconnected global economy.


For further help and advice please contact Linda Bazant by email or on LinkedIn