ICO consults on rules to protect personal data internationally

The Information Commissioner’s Office (ICO) has launched a public consultation on its draft international data transfer agreement (IDTA) and guidance. When organisations send personal information to a country outside the UK, they must ensure people’s data protection rights continue to be protected. An IDTA is a contract that organisations can use when transferring data to countries not covered by adequacy decisions.

The IDTA will replace the current standard contractual clauses (SCCs) to take into account the binding judgment of the European Court of Justice in a case commonly known as ‘Schrems II’. The ruling required organisations to carry out further diligence when making a transfer of personal data outside of the UK to countries without an adequacy decision.

The consultation is split into three sections, offering a selection of proposals and options to consider: proposal and plans for updates to guidance on international transfers; transfer risk assessments; and the international data transfer agreement.

The ICO is also asking for views on any relevant privacy rights, legal, economic or policy considerations and implications. Responses will help the regulator understand the practical impact of proposed approaches on organisations.

Steve Wood, ICO executive director of regulatory strategy, said: “The modern world involves increasing flows of personal data about citizens to deliver goods and services. Ensuring data is well-protected when transferred outside of the UK will be vital in maintaining people’s trust in the system. Our new IDTA is developed to ensure such protections are in place.”

He added that the new guidance has been designed to be accessible and offer support to all organisations, from SMEs without the benefit of large legal budgets to multi-national companies. The agreements aim to help organisations to continue to trade freely while ensuring the correct protections are in place before transferring people’s data.

“This consultation is important. We know how important it is for transfer tools to work in practice, and the ICO wants to support businesses in this area. The responses we receive will inform our final work and I encourage all organisations that undertake international transfers to engage with the consultation and provide feedback.”

    Share Story:

Recent Stories


Financial institutions were early adopters of cyber security and insurance. Are they still on top of the game?
Managing huge amounts of sensitive data online makes financial institutions a prime target for hackers. As such, the sector was an early cohort for insurers in creating cyber cover. Since then, the market has evolved almost beyond recognition. It continues to challenge itself to this day, complying with rigorous regulatory demands and implementing avant-garde enhancements to keep abreast of the ever-changing risks. Published June 2021

Manufacturing: An industry at risk amid great technological change
Of the many sectors of business, manufacturing companies are among the most at risk from cyber threats. How has the sector evolved to make it so vulnerable and what does the task of managing cyber exposure in a manufacturing company look like? CIR’s latest podcast with Tokio Marine HCC sought to answer all these questions and more. Published April 2021

Advertisement