Research and analysis

Phase 1 Evaluation of the implementation of IDTAs - Summary and Conclusions

Published 25 October 2023

Summary

Background and Context

As part of an ongoing review of UK legislation following the UK’s departure from the EU, the UK Government has been revisiting the rules governing the international transfer of personal data. In order to ensure individuals’ data protection rights are upheld, the UK’s data protection framework prohibits the transfer of personal data to countries outside the UK without a transfer mechanism in place, such as adequacy ^{[footnote 1]} regulations, appropriate safeguards under Article 46 UK GDPR, or derogations under Article 49 UK GDPR. In the absence of adequacy regulations in respect of a country or jurisdiction, standard data protection clauses have largely been used as appropriate safeguards under Article 46 UK GDPR.

In response to the Schrems II judgement and the UK’s departure from the EU, the International Data Transfer Agreement (IDTA) and Addendum to the European Commission’s Standard Contractual Clauses (SCCs) were developed and issued by the Information Commissioner’s Office (ICO). This followed a consultation with the Department for Digital, Culture, Media and Sport (DCMS) Secretary of State.^{[footnote 2]} The ICO also ran a public consultation seeking views on the draft IDTA. The purpose of developing the IDTA was to create a UK standard form of contractual wording to confer legal protection on companies who need to transfer personal data internationally. Along with the EU SCC Addendum, the documents replaced the EU SCCs (which performed a similar function) on 21 March 2022 (however, the IDTA transitional provisions provide that any Transitional Standard Clauses concluded on, or before, 21 September 2022 shall continue to be valid until 21 March 2024). This came after the DCMS Secretary of State laid the documents before parliament on 2 February 2022.

His Majesty’s Government (HMG) and the ICO are monitoring and evaluating how the change from EU Standard Contractual Clauses (SCCs) to the IDTA and EU SCC Addendum has been experienced by businesses and what the outcomes for businesses are once implemented. To start assessing the impact of the IDTA and how it has been implemented, DCMS commissioned Ipsos to conduct 20 qualitative in-depth interviews, lasting 45 minutes each, with businesses that transferred data internationally.

The research asked questions about:

• what legal and technical tools businesses used to transfer personal data internationally
• what businesses’ awareness of and views on the IDTA and EU SCC Addendum were and how they implemented them
• the costs and benefits to the implementation process
• why businesses use the legal and technical tools they do to transfer personal data internationally, whether this be the IDTA, SCC Addendum or any other mechanism

Fieldwork was carried out from July to September 2022, following the publication of the IDTA and EU SCC Addendum and before the publication of the ICO’s Transfer Risk Assessment Tool (TRA Tool). A total of 16 businesses were recruited based on their responses in the UK Business Data Survey and 4 businesses through a free-find method. Quotas were used to ensure that interviews included a mix of different sizes, sectors, and regions of businesses. Of the 20 businesses surveyed, one was a sole trader, ten businesses had between one and ten employees, five businesses had between ten and 50 employees and four businesses had more than 50 employees.

This is a qualitative study and gives an indication of the range of issues that businesses may face and the perspectives they have. It does not form a representative sample of businesses transferring data internationally and therefore the findings cannot be reported quantitatively.

Summary of Findings

International data sharing approaches

The types of information the interviewed businesses need to share internationally tend to be either commercially sensitive technical or operational data, or personal data on individuals, whether inside or outside their organisation. This might include Customer Relationship Management (CRM) data, customer details, payroll data or event attendees.

Some of the businesses have formalised systems to share this data internationally. File-share or cloud storage systems, whether off the shelf or bespoke, are common. Shared drives and Secure File Transfer Protocols (SFTPs) are also used between clients and suppliers and in larger organisations. Smaller businesses stress that they often feel the need to fall in line with their larger clients’ requirements and preferences for data sharing. Email is a common method of transfer for smaller businesses sharing data less frequently. Awareness that email may not have been a legally compliant method of transferring personal data was mixed, with low knowledge of the differences in how personal and non-personal data should be transferred.

For the small and medium businesses interviewed, guidance is rarely used. For the large businesses interviewed, where they are leading on implementation themselves, their legal teams will use guidance from the ICO, the UK’s independent data protection authority. Additionally, data sharing practices do not appear to be reviewed frequently, except in response to major external events like the introduction of GDPR or Brexit.

Use of the IDTA, Addendum to the EU SCCs and other legal mechanisms

Overall, awareness of the IDTA is low among the businesses interviewed, and few of the businesses interviewed have detailed knowledge of them. The larger businesses frequently involved in international data transfers are an exception to this.

Those who feel they knew about the IDTA tend to view it as simple and straightforward to implement. This assessment, however, does not always appear to be based on having detailed knowledge of it. It should be borne in mind that the interviews took place before additional ICO guidance on the IDTA and EU SCC Addendum was published, and pre- publication of the ICO’s TRA Tool which was published in November 2022.

The smaller businesses or sole traders lacking internal expertise tend to have low levels of awareness of which legal mechanisms to use when transferring data internationally. The most common reason is a lack of knowledge of the data transfer requirements, including the IDTA. The lack of expertise and resources means they prioritise other activities seen as key to the core ventures of their business. They tend to have a strong desire to keep things simple and avoid potential costs and complexities. These businesses generally perceive that the risk of not using legal mechanisms to transfer personal data internationally is low, having never had issues in the past.

Regardless of businesses’ limited understanding of the IDTA, they still employ a range of more general risk mitigation practices due to their general awareness of the need to employ data protection measures. This includes separating databases holding personal data and public-domain information, arrangements to minimise the personal data held by the business, or even indemnity insurance to protect against the consequences of potential misuse of personal data.

A common feature amongst the smaller businesses interviewed, is a reliance on larger suppliers to drive contractual standards. These smaller businesses are used to their larger suppliers dictating their approach on compliance matters.

In other cases, the smaller and medium-sized businesses interviewed may also be influenced by very large specialist contractors, particularly cloud providers. As part of supplying cloud services to these businesses on an ongoing basis, these contractors will provide expert ad hoc advice to them in areas like data policy and practice, giving these businesses confidence that they are secure. This is usually at no additional external cost to the business apart from the provider’s regular fees.

The four larger businesses interviewed said that they tend to either handle international data transfer compliance themselves or rely on external contractors. Those who do it themselves use their internal legal teams to implement changes based on ICO guidance. They reported that updating their contracts in this way and integrating the IDTA was usually only a matter of adding a few lines to their existing contracts. Additional costs are low, aside from staff time, and they feel little need to engage outside consultants or train the wider staff body. Their internal expertise usually gives them reassurance that they are taking proportionate actions and are legally watertight. Others rely on advice and implementation support from external lawyers and IT suppliers, who often advise them on how best to place the IDTA into contracts and guide them towards government guidance or the ICO website. The cost for this is usually met within the existing supplier relationship they have with them.

Businesses were asked about the Addendum to the EU SCCs. The process for implementing this was similar to the IDTA, with the key difference relating to guidance. For the Addendum to the EU SCCs, the businesses interviewed needed to use EU based guidance, as opposed to ICO or UK government guidance. As businesses and legal teams are based in the UK, they preferred to use UK guidance , and they would only use the Addendum if requested to do so.

Conclusion

When it comes to international data transfers, we found a split between businesses of different sizes. The larger businesses we spoke to, on the whole, tended to manage the process of data protection in-house, using internal legal teams or bringing in external consultants. Some of these businesses were aware of the IDTA. Even if they were not aware of the finer details of the IDTA, these businesses tended to have a positive or neutral experience of implementing it. They tended to report low costs and found the implementation process simple and straightforward.

The smaller businesses we spoke to were not proactively engaged in data protection issues and were mostly not aware of the IDTA or EU SCC Addendum. They often said they relied on larger suppliers to drive the process of updating data protection compliance or did nothing proactively unless it was necessary to act.

These two factors combined mean that smaller businesses risk not correctly or fully implementing the IDTA or EU SCC Addendum. While these findings are not based on a representative sample, they suggest a number of possible points for action by the ICO to implement as part of the wider monitoring and evaluation programme:

1. Raise awareness of the IDTA and EU SCC Addendum

Familiarity with the IDTA and EU SCC Addendum, both at an overall and granular level, is uneven, and relatively low among small and medium-sized businesses. Any future ICO information campaign should be targeted at smaller businesses, should aim to achieve greater recognition, and should be thoroughly evaluated in terms of reach and influence on the target audience. As well as boosting awareness, the campaign should emphasise:

• the importance of taking action, and risks of not doing so
• the changes that are required to ensure compliance with data protection legislation

2. Monitor implementation of the IDTA and EU SCC Addendum

This research shows that even among businesses that are aware of the IDTA and have taken steps to implement it, they have only made minimal changes. There is also low awareness of the granular detail of the IDTA. While it is encouraging that businesses report low costs and few issues with implementation, there are clear risks to businesses that do not follow the rules properly. The ICO and DSIT should closely monitor issues that arise over the next 2-3 years via regular consultations with the SME community, and be willing to adjust its communications to this audience accordingly if issues emerge. Further to this, the ICO and DSIT should engage with larger software suppliers who have assisted SMEs in the implementation of the IDTA. These can share guidance and best practice and advise on how these SME suppliers can ensure the IDTA is implemented correctly in their contracts.

3. Evaluate the wider impacts of IDTA and EU SCC Addendum uptake

In principle, the widespread adoption of the IDTA should allow businesses to transfer data internationally more easily, free up time to focus on their core operations, increase their turnover and as a result, improve outcomes across the wider economy. There is some evidence to suggest that this might turn out to be the case, with smaller businesses tending to be guided by larger suppliers and larger businesses, which means they do not need to hire additional staff when implementing new compliance standards. This meant there was a low time burden, potentially allowing them to use this time to be more innovative and save on costs. The ICO and/or DSIT should look to start monitoring among businesses that have recently started undertaking international data transfers. Their growth trajectory over the next few years may provide insights into whether a broader economic benefit from the IDTA can be expected. However, it may be challenging to isolate this type of positive macro-level outcome of the IDTA from broader economic trends.

1. Since the completion of this research ‘data bridge’ is the term now used by the UK government to describe the mechanism for the trusted flow of data from the UK to another country without restrictions instead of adequacy. ↩

2. Since the completion of this research there has been a Machinery of Government (MoG) change whereby this policy area now belongs to the new Department for Science, Innovation and Technology (DSIT) ↩