With the UK’s withdrawal from the EU, the UK is transitioning from its reliance on EU GDPR requirements for the transfer of UK personal information outside of the UK. 

The UK’s own requirements are finalised, and there are a range of measures, processes and controls that businesses need to implement when transferring UK personal information from the UK, including updating their contracts to reflect the UK’s new contractual requirements (the new UK contractual requirements).

If your business handles personal information relating to any individual in the UK and it is transferred outside of the UK, e.g. you’re a SaaS business with UK customers, there are likely 2 ways this could go.  If your business:

• transfers UK personal information to, and handles it in, New Zealand only, then you will not need to implement the new UK contractual requirements because the UK thinks NZ provides an adequate level of protection.  But, countries like Australia and USA are not considered adequate.  So if your business uses sub-processers in a country that isn’t adequate (and this is true of most SaaS businesses that use AWS or Azure as they don’t currently have NZ data centres), this exception will not apply to you
• transfers UK personal information to, and/or handles it in, a country that doesn’t have adequacy (an external transfer), then you need to include the new UK contractual requirements in your customer contracts.

how do you comply?

If your business makes external transfers, then your customer contracts will need to include the new UK contractual requirements by the dates discussed below.  The UK regulator has issued templates that you can adapt and use in your contracts to meet the new UK contractual requirements (see https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/). These are:

• the International Data Transfer Agreement.  If you don’t have a data processing agreement, this document includes all of the provisions you need to include in your contract to meet the new UK contractual requirements
• the UK Addendum.  If you already have a data processing agreement (i.e. that meets EU GDPR requirements for international transfers), then this is the document for you.  It expands on the EU GDPR requirements so that your data processing agreement will meet both the EU GDPR requirements and the new UK contractual requirements. 

key dates

• 21 September 2022 – from this date, any new contract you sign that covers an external transfer needs to meet the new UK contractual requirements
• 21 March 2024 – until this date, your older contracts (entered into on or before 21 September 2022) are deemed to meet the new UK contractual requirements for external transfers if they comply with EU GDPR requirements
• 21 March 2024 – after this date, you cannot rely on EU GDPR requirements to meet the new UK contractual requirements for external transfers.  By this time, you must have varied your existing contracts to cover the new UK contractual requirements.

what do I do if this applies to my business?

You should update your templates to include the new UK contractual requirements so that they can be rolled out by no later than 21 September 2022 and prepare a plan for how you’ll transfer existing affected customers to the new UK contractual requirements in time for 21 March 2024.  If you have regular contractual reviews and renewals, that will be a good time to raise this with your customer.