The UK government’s reform of data protection laws and the mechanics of cross-border data transfers accelerated in the first half of 2022.
Various European regulators, including the UK’s Information Commissioner’s Office (ICO), have expressed their intention to monitor compliance with data transfer rules more closely and impose potentially large fines if breaches are discovered. – capped in the United Kingdom at the higher of £17 million or 4% of the group’s worldwide turnover. US recipients of personal data collected in the UK (whether from a group subsidiary or not) should act now to assess their current compliance and close any gaps.
In order for personal data collected in the United Kingdom to be transferred, in a compliant manner, to the United States, a number of steps must be taken:
An assessment of the impact of the proposed transfer and the measures taken to mitigate any identified risk to the data should be undertaken (a data transfer impact assessment).
Appropriate data transfer agreements must be in place between the UK data transferor and the US recipient, including a transfer agreement in a form issued by the ICO (an International Data Transfer Agreement or IDTA).
Appropriate information should be made available to data subjects – in the case of employees, this may be through an appropriate privacy notice in the staff handbook.
The company must implement sufficient technical measures, such as data security systems and access restrictions, to protect the transferred data.
Clear internal procedures must be adopted and employees involved in transfers must receive appropriate and regular training on the rules and the rights of the persons concerned.
The IDTA was introduced in March this year to replace the approved transfer agreement form issued by the EU, known as the Standard Contractual Clauses (or SCC). Organizations that have already implemented the pre-IDTA form of SCCs to enable data transfers can continue to rely on these until March 2024, but will need to transition to the new form of IDTA from here this date.
Other mechanisms are available to ensure compliance, but the above steps represent the most commonly adopted set of procedures. In the event of an investigation, the ICO will expect to see evidence of the adoption of the required measures and the implementation of appropriate internal procedures.
It is important to note that these rules apply equally to transfers of personal data collected in the UK between group companies and to transfers between unrelated parties. Unless a US parent company has no involvement or knowledge of the HR issues of its UK subsidiary, the ICO expects that appropriate data transfer mechanisms are in place. The ICO website itself gives the following example of a transfer taken by the rules1:
Example: A UK company uses a centralized human resources department in the US provided by its parent company. The British company transmits information about its employees to its parent company as part of the HR department. This is a restricted transfer.
The UK government has recently published a response to its consultation on proposals to reform the UK data protection regime, which will feature in the upcoming Data Reform Bill. This indicates that future priorities will be to reduce compliance red tape and increase the list of counties eligible for simplified data transfer procedures, which currently does not include the United States. However, these reforms will take time to implement, are currently not fully detailed and may in any case not extend to data transfers between the UK and the US.
Please contact us if you would like to discuss any of these points in more detail. We have helped a number of clients implement and document compliant data transfer mechanisms. These include UK-US transfers, covering both the transfer mechanisms and the appropriate HR procedures where the data being transferred relates to UK-based employees. We have developed tools designed to help companies meet their obligation to provide relevant training to key employees.