Robert Bateman

International Data Transfer Agreement

International Data Transfer Agreement

Share this content

What is the International Data Transfer Agreement (IDTA)?

The International Data Transfer Agreement (IDTA) is a legally binding document that governs the transfer of personal data from the UK to other countries, ensuring compliance with the UK GDPR. Post-Brexit, the IDTA is a key mechanism to maintain data protection standards during cross-border transfers to non-UK entities.

Understanding when to use the International Data Transfer Agreement, conducting a Transfer Risk Assessment, and staying informed about legal obligations are key to ensuring the security and privacy of personal data across borders.

When should you use the International Data Transfer Agreement?

You will need to use an IDTA when transferring personal data to a country outside the UK that does not have an "adequacy decision" from the UK government. The IDTA helps ensure the same level of data protection is maintained, regardless of the location of the recipient. In some cases, businesses may also consider using the IDTA in combination with the EU’s Standard Contractual Clauses (SCCs) or other contractual tools, especially if transfers include both EU and UK data.

Key components of the International Data Transfer Agreement

The IDTA includes specific clauses that outline the responsibilities of both parties in ensuring the security and privacy of personal data. It addresses key issues such as:

  • Data processing obligations
  • Security measures
  • Data subjects’ rights
  • Transfer Risk Assessment (TRA) requirements

What is a Transfer Risk Assessment (TRA)?

Before using the IDTA, businesses are required to conduct a Transfer Risk Assessment (TRA). This assessment helps organisations evaluate the risks involved in transferring data to non-UK entities, ensuring that the level of protection is adequate and in compliance with UK data protection laws. This is particularly important for transfers to countries without an adequacy decision.

International Data Transfer Agreement vs other transfer tools

The IDTA is one of several tools for international data transfers. It is specifically designed for UK data transfers, whereas the Standard Contractual Clauses (SCCs) are still used for EU data transfers. Businesses that handle both UK and EU data may need to use both the IDTA and SCCs depending on the transfer's location.

Other tools for transfers include:

  • Adequacy regulations: Used when the recipient country has been deemed to have adequate data protection laws.
  • Binding Corporate Rules (BCRs): Internal policies for multinational organisations.

Practical tips for businesses

  • Automate your data transfers: Use technology to streamline the management of data transfers, ensuring that IDTAs are applied correctly and regularly updated.
  • Monitor compliance: Regularly review and update transfer agreements to reflect any changes in data processing activities or legal obligations.
  • Seek legal advice: For businesses transferring significant amounts of data, consulting with legal experts can ensure that data transfers comply with all applicable regulations.

What is an example of an International Data Transfer?

Here’s an example of an international data transfer that can be covered by an IDTA:

  • NewsBook, a UK media publisher, wants to use analytics software to see how people use its app.
  • NewsBook decides to engage DataBraz, an analytics provider based in Brazil.
  • NewsBook will send DataBraz data about its users for analysis in Brazil.

In this scenario, we have an exporter, NewsBook (covered by the UK GDPR), and an importer, DataBraz (not covered by the UK GDPR).

The following example is not an international data transfer:

  • NewsBook’s CEO goes on a business trip to Brazil.
  • She accesses personal data about NewsBook employees and customers while in Brazil.

Although the personal data is being accessed in Brazil, there’s only one party here—NewsBook.

An international data transfer requires two legally distinct entities: An UK-based exporter and a non-UK importer, with the importer making personal data available to the exporter.

Key Takeaways & Wrap Up

In this article, we have helped you understand the following about the International Data Transfer Agreement (IDTA):

  • The International Data Transfer Agreement is a legally binding document ensuring UK GDPR compliance when transferring personal data from the UK to non-adequate countries.
  • It is required for transfers to countries without a UK adequacy decision and may be used alongside EU Standard Contractual Clauses (SCCs) for transfers involving both UK and EU data.
  • Key components include data processing obligations, security measures, data subjects’ rights, and a mandatory Transfer Risk Assessment (TRA).
  • The IDTA complements other tools like adequacy regulations and Binding Corporate Rules (BCRs) for cross-border data transfers.

The IDTA ensures data protection during international transfers and is crucial for businesses managing UK personal data. To explore how Privasee can assist with data transfer compliance, book a demo today. 

International Data Transfer Agreement - FAQs

Is the IDTA the same as the SCCs?

No, the IDTA is specifically for UK data transfers, while the SCCs are used for EU data transfers. Businesses transferring data across both regions may need to use both.

When do I need a Transfer Risk Assessment (TRA)?

A TRA is required before transferring data to a non-UK entity using the IDTA. It assesses the data protection risks in the recipient country.

Can small businesses use the IDTA?

Yes, the IDTA is applicable to businesses of all sizes that need to transfer personal data internationally while remaining compliant with UK GDPR.

What are adequacy regulations?

Adequacy regulations are decisions by the UK government that a third country’s data protection laws offer equivalent protection, allowing for easier data transfers.

July 24, 2024

Frequently asked questions

Do I need to connect all my tools and third parties?

We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools.  There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.

What is the scope of my privacy policy?

Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!

Do I need to replace my current policy for the privacy portal?

We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.

Do I need help filling out my details?

Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.

Why can’t I just use a template and add it to my website myself?

A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.

What if you don’t have the tools and third parties that I have?

We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.

Which plan should I choose?

Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.

Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.

Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.

Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.

Feel free to get in touch to discuss our GDPR Compliance Software solution.

How easy is it to set up?

Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!

What size companies is Privasee aimed at?

Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.

I already have a privacy policy, do I need Privasee?

You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.

Still have questions?

We are here to help