Tick tock…UK SCC deadline approaches

Tick, tock, tick, tock….this is a reminder that, in the UK, an important data protection deadline is approaching. By 21 March 2024 UK controllers must have updated their mechanisms for international data transfers, which for most businesses will mean updating their standard contractual clauses (SCCs).

On 21 March 2022 two new international data transfer mechanisms came into force: (1) the IDTA, or International Data Transfer Agreement; and the alternative (2) the UK Addendum, which allowed UK controllers to use EU SCCs and modify them slightly by way of an addendum to cover transfers of personal data from the UK.  For more information on these mechanisms see our blog here (New UK data transfer tools come into force | Fieldfisher)

Transitional arrangements set a deadline of 21 March 2024 for UK controllers either to move to the IDTA or (as most clients did) to put in place the UK Addendum.

Finally, there is the "what if I don’t" question.  Well, failure to update your data transfer arrangements will be a breach of UK data protection law (see Article 44 GDPR), leading to possible enforcement by the Information Commissioner's Office (ICO).  For those who think that enforcement isn’t a high risk, a more significant implication is the need to put your house in order so that M&A activity, supplier due diligence or general contracting activity in your sector is not impacted by such a failure.  Most contracts include warranties of compliance with data protection law, and any form of due diligence will ask about international data transfers and compliance.  Having a positive answer to those questions may smooth the way to contract signature.

We're sure many of you will have addressed this some time ago, but in case you haven’t please do contact us.