Phase 2 Evaluation of the implementation of IDTAs - Research Findings
Updated 22 August 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/evaluation-of-the-international-data-transfer-agreement/phase-2-evaluation-of-the-implementation-of-idtas-research-findings
Qualitative research with businesses in the United Kingdom
Amrita Sood and Ruth Fitzell, Ipsos
June 2025
1. Executive summary
The Department for Science Innovation and Technology (DSIT) commissioned Ipsos to conduct qualitative research to gain a better understanding of businesses awareness and use of international data transfer mechanisms, with a focus on the International Data Transfer Agreement (IDTA). The purpose of IDTAs was to provide a UK specific framework for lawfully transferring personal data from the UK to countries that lack an adequacy agreement. IDTAs replaced the EU Standard Contractual Clauses (SCCs) (which performed a similar function) on 21 March 2022. This research is the second phase of the evaluation on the implementation of IDTAs. [footnote 1]
Fifteen qualitative in-depth interviews were conducted with UK businesses between February and March 2025. All fifteen businesses interviewed transferred data internationally and most were larger businesses, in contrast to the first wave of the evaluation on the implementation of IDTAs when most businesses that took part were small. This primary research has been complimented by quantitative findings from the UK Business Data Survey conducted in 2022 and 2024.
1.1 Quantitative findings from the UK Business Data Survey (UKBDS)
There is not a precise quantitative estimate on the scale of uptake of use of IDTAs, nor on the trends in the use of other international data transfer tools (ITTs). This is mainly due to the small sample of respondents in the UK Business Data Survey in 2022 and 2024, which makes the error margins relatively large and so limits the ability to robustly detect small changes. In 2024, between 6% and 23% of businesses that share personal data internationally said they used IDTAs, compared to between 14% and 35% that said they use Standard Contractual Clauses (SCCs).
1.2 Qualitative findings from the businesses spoken to as part of this research highlight the following themes directly related to IDTAs and other ITTs:
IDTAs: DPO in larger businesses were aware of IDTAs and those that had used them recognised that they were shorter, and the language was simpler, than EU SCCs. However, larger businesses that operated in the EU preferred to use the EU SCCs with the Addendum because it was easier to use just one type of SCC and IDTAs would not be appropriate for the majority of their transfers.
Preferred international data transfer tools: Data adequacy and EU Standard Contractual Clauses were the most used international data transfer tools by businesses in this wave of the IDTA evaluation, despite actively trying to recruit businesses that had used IDTAs.
The Addendum to the EU SCCs was considered a good solution to the UK leaving the EU, even though implementing the Addendum was a significant administrative task for some larger businesses.
Larger businesses had incurred some costs dealing with international data transfers: some had consulted external legal counsel, some subscribed to ‘OneTrust’, and others said the main cost was related to the staff time required to update the EU SCCs with the Addendum.
Larger businesses were familiar with Transfer Risk Assessments and some regularly used them. In contrast, smaller businesses were not familiar with them and felt overwhelmed by their length and complexity.
Businesses had different views on the value and benefit of international data transfer tools; for some it was important to have confidence that they are treating personal data carefully and the tools had commercial benefits in offering reassurance to clients. For others, it was perceived as no more than a ‘tick-box’ compliance exercise.
1.3 Qualitative findings from the businesses spoken to as part of this research highlight the following themes related to sharing data internationally more generally:
Awareness and knowledge: there was significant variation in awareness and knowledge of international data transfer tools among businesses that participated. Smaller businesses were generally less aware of international data transfer tools. Specialist data protection professionals (DPOs) were generally more knowledgeable than those also involved in data policies in businesses but in roles such as IT.
The Importance of data sharing: businesses that transfer data internationally, irrespective of business size, do so to operate effectively.
Client and supplier driven decisions: although there were other factors, the choice of methods to transfer data internationally were influenced by client or supplier preferences, particularly for smaller (sole traders, micro and small) businesses. The underlying assumption was that data sharing due diligence had been done on the part of the client or IT supplier.
2. Introduction
2.1 Research context
The 2024 UK Business Data Survey (UKBDS) is a telephone and online quantitative study of UK businesses. It focused on the role of digital data in UK businesses, international transfers of data and activities for data protection compliance.
Following the quantitative 2024 UKBDS study the Department for Science Innovation and Technology (DSIT) commissioned Ipsos to conduct qualitative research. This was to gain a better understanding of the international data transfer tools used in more detail, with a specific focus on awareness and use of IDTAs, the EU SCCs with the EU SCC Addendum. It builds upon Wave 1 of the IDTA evaluation that was conducted in 2022 among 20 businesses.
2.2 Research aims
The aims of this research were to:
-
understand what legal and technical tools businesses use to transfer personal data internationally
-
understand businesses’ awareness and views on the IDTA and EU SCC Addendum and how the introduction has impacted their processes
-
explore why businesses use the legal and technical tools they do to transfer personal data internationally
-
explore businesses’ awareness and views of Transfer Risk Assessments (TRAs) and the Information Commissioner’s Office’s (ICO’s) TRA tool
2.3 Methodology
Ipsos conducted 15 qualitative in-depth interviews between February and March 2025 with UK businesses. The businesses ranged in size and industrial sector; however, they were recruited based on awareness of IDTAs so there was a natural skew towards larger businesses. This contrasts with the Wave 1 of the IDTA evaluation where only 2 of the 20 interviews were with large businesses. This means that comparisons between smaller businesses in the Wave 1 IDTA evaluation and this round of interviews is possible but that it is not possible to contrast the views of larger businesses.
A recruitment screener was used to ensure eligibility for the research. A recruitment screener was also used to ensure a spread of business size, sector, turnover and location. Please refer to Annex 1 for a breakdown of subgroups interviewed.
Participant role varied, but all held positions of responsibility for data in their business and they tended to make decisions on transferring data internationally. After the initial 5 interviews, recruiters focused more explicitly on DPOs when recruiting larger businesses, because it became clear from the interviews that they were the professionals with the expertise to speak about international data transfer tools with knowledge. In total, 6 interviews were with DPOs.
A discussion guide was developed by the Ipsos and DSIT research teams. This was to ensure the relevance of all questions asked. The discussion guide used in interviews with businesses is included in the Annex to this report.
Interviews with businesses lasted between 45 and 60 minutes and were conducted via Microsoft Teams. Ipsos provided a ‘thank you’ payment of £100 to businesses either in the form of a bank transfer or charity donation, dependent upon the participant’s preference.
This primary research has been complemented by secondary data analysis of the UK business data survey publications of 2022 and 2024.
2.4 How to read this report
Please see the Glossary and Abbreviations section at the end of this page for full details of the terminology used in this report.
Direct quotes have been included in this report to illustrate and highlight key points and common themes. Where direct quotes are used, they have been anonymised and attributed with the following characteristics:
-
sector – the sector the business operates in
-
size – the size of the business
Please note that 2 or more participants may have the same information in the attributions for their quotes.
The findings in this report are intended to provide insight into the behaviours, views, and experiences of a range of businesses. By design, the research set out to capture a rich and detailed understanding of different behaviours, views, and experiences. This research did not set out to determine the prevalence of these behaviours, views, and experiences.
Where the report indicates that ‘few’, ‘some’, or ‘many’ businesses experienced or felt something, this is in relation to the research participants only. Other than the supporting quantitative analysis in Chapter 6, findings cannot be considered representative of the entire UK business population and should not be interpreted as generalisable.
3. Understanding businesses that participated and the data that they transferred internationally
Chapter summary
This chapter provides an overview of businesses that participated in this research. This includes what, why, where, and how they transferred data internationally as well as factors that drove their approach to this.
Thirteen of the businesses that participated in this research had transferred data internationally since their establishment, finding it essential to their business function. Data was transferred to the adequate jurisdictions of the European Union and the United States, with sensitive data such as customer information and payroll information being shared. Businesses also transferred data to a range of non-adequate countries including China, Australia and India. The large businesses had thousands of employees and offices in multiple countries.
Secure platforms such as Virtual Private Networks (VPNs) and cloud services and file transfer systems were used to transfer personal data. Smaller businesses had less technical knowledge over how data was transferred; they were more likely to mention email or that they used whatever software that their larger clients requested.
3.1 Transferring data internationally was essential to business function
Most businesses that participated in the research had begun to transfer data internationally as soon as they were established.
Transferring data internationally was essential to business function for most businesses that participated in this research irrespective of their size or sector. Transferring data internationally was central to working with clients, colleagues and third parties in other countries. One business was predominantly UK based, however, the DPO said that international data transfers were still important because some of their IT suppliers were based outside of the UK.
3.2 Businesses that participated were most often transferring data between the UK, the EU, and United States
Businesses that participated in the research transferred data to a wide range of countries. The most frequently mentioned countries and regions for international data transfer were the United States, and countries within the EU.
A few of the businesses shared data with their offices in 30 or more countries and customers across all continents.
3.3 Businesses regularly transferred a range of personal data
The following types of data were the most commonly transferred by businesses that participated:
-
customer contact information such as names and email addresses
-
human resources data such as sensitive employee data and pay roll information
-
financial accounting, market, sales and website data
-
scientific, analytical, and research and development data
3.4 Businesses used a variety of methods to transfer data internationally
In contrast to the UKBDS 2024 qualitative research on international data transfers [footnote 2], email was infrequently mentioned as a method used to transfer data. The smaller businesses were more likely to mention this. Data was often protected, for example, through password encryption and two-factor authentication. This was because protecting data provided reassurance that data was safe and would be transferred by a secured method.
A variety of other methods were also used to transfer data internationally by businesses, which businesses said provided reassurance that data had been protected. Examples included Google Drive, Secure File Transfer Protocol delivery, Virtual Private Network, Dropbox, shared servers and SapAriba.
Larger (medium and large) businesses that participated tended to use more sophisticated methods like cloud-based Enterprise Resource Systems and secured servers to transfer data internationally.
3.5 Smaller businesses had very low awareness of international data transfer tools
As in the Wave 1 IDTA evaluation[footnote 1], smaller businesses were not familiar with international data transfer tools. A few talked in vague terms about contracts or Non-disclosure Agreements specifying how they handle data, but they were not familiar with the terms of EU SCCs, IDTAs, BCRs or data adequacy.
Among smaller businesses, there was some conflation between international data transfers and broader data and cyber security. For example, when asked about Standard Contractual Clauses, one small business owner talked about cyber security accreditation and ISO9001. Another small business owner had contracts with large defence contractors and had to sign non-disclosure agreements (NDAs) at the start of all projects which he said covered international data transfers. He was, however, unable to talk in any detail about the details of these contracts or international data transfer tools. He explained they use SapAriba, as dictated by their clients, and implied that he assumed clients were responsible for ensuring compliance.
The smaller businesses handled personal data but their knowledge and attitude towards it was very different to the DPOs in larger businesses. They acknowledged that they lack expertise and suggested that they try their best to protect data using what they perceive as a ‘common sense’ approach to data protection. They suggested this meant things like password protecting data, limiting access to personal data, using multiple factor authentication, however, their technical understanding was limited. This contrasts to DPOs in larger businesses, who had a deeper technical understanding of data in terms of types of data, storage, retention, transfers and a greater understanding of the risks and regulations relating to data. However, even DPOs acknowledged the increasing pressures and challenges of keeping up to date with the speed of developments in data and therefore data protection.
“For me it’s like a gentleman’s agreement. You just respect the data. I work on my own, I work from home, I rarely take my computer out. So, you know, it’s just common sense really.”
Administrative and Support Service Activities, sole trader
As in the first wave of the evaluation, smaller businesses often used the mechanisms that their larger clients requested them to use to transfer data internationally. They assumed that large businesses, for example, large IT suppliers, would have conducted the necessary due diligence on data transfers.
“My personal experience is its more on them than it is on us…I tend to make an assumption that they know better than me.”
Professional, Scientific and Technical Activities, small business
Smaller businesses were also more likely to use email for data transfers and suggested that they faced a lower risk of data breaches due to their size. For one sole trader, this assumption was reassessed during the interview; they had initially thought they did not handle much personal information but realised they were transferring via email and storing indefinitely sensitive medical information on identifiable individuals. They did not think the risk of a breach was high but realised that they should not be transferring this information via email or storing it indefinitely.
“I think bigger companies have a higher risk. No-one knows who I am, so I think I’m a lower risk.”
Administrative and Support Service Activities, sole trader
Several larger businesses also referred to cases where their clients or suppliers determined their processes. For example, a large retail business referred to a contract with a large US department store and explained that:
“Because they’re a lot of our trade, we kind of bend over backwards to make sure we’re meeting their requirements rather than they meet our requirements.”
Retail, large business
4. Businesses’ awareness, views and use of international transfer tools
Chapter summary
This chapter discusses business awareness, views and use of international transfer tools and data adequacy.
Businesses had varied familiarity with international transfer tools. Smaller (sole traders, micro and small) businesses were less aware of international transfer tools. Larger (medium and large) businesses preferred tools were EU Standard Contractual Clauses with the Addendum and data adequacy. Awareness of the UK’s IDTA varied among larger businesses, in part because it was not felt to be appropriate for some larger businesses whose data transfers included EU data so used EU SCCs with the Addendum. However, a few larger businesses were not familiar with IDTAs.
4.1 Larger businesses were very familiar with international transfer tools, although level of understanding was driven by use and potentially by professional training of DPOs
Participants from larger businesses were predominantly DPOs and they discussed the various mechanisms spontaneously in most interviews.
In the interviews we showed participants some legal frameworks that allow the legal transfer of data internationally. These were:
Data ‘adequacy’: a status granted by the UK to countries which provide high standards of protection for personal data.
Standard Contractual Clauses: clauses inserted into contracts which provide appropriate data protection safeguards under GDPR to personal data being sent internationally to a non-adequate country. IDTAs and the EU SCCs with the Addendum were the 2 SCCs explored in this research.
Binding Corporate Rules: Binding Corporate Rules are designed to provide appropriate safeguards for making internal or intragroup restricted transfers. They are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures, or professional partnerships.
Overall awareness of international transfer tools tended to be high among larger businesses where the participant was generally a DPO. The interviews with larger businesses where the participant was not a DPO demonstrated less detailed knowledge of transfer tools. Smaller businesses (where interview participants were not DPOs either) were often unable to relate to the term ‘tools’, they had not heard of EU SCCs, IDTAs, BCRs or data adequacy and a couple conflated IDTAs with international data transfers more generally.
Some DPOs themselves mentioned the difficulty of keeping on top of developments in data protection law and their professional development. For example, a DPO was in an organisation that was mainly UK-based where he was the only DP specialist.
“The problem that most people in my role have, is that as a DPO, unless you work in a huge organisation, you’re usually working alone or in a very small team…I’m definitely not as well informed as I would like to be on this topic because it’s not a daily occurrence.”
Human Health and Social Work Activities, large business
4.2 Businesses with less awareness and knowledge about international transfer tools were resistant to the idea that they were necessary
Participants who did not know about or use international transfer tools were asked their opinions after learning about tools that allow the legal transfer of data internationally. These participants, who were from smaller businesses, generally raised concerns about their necessity and practicability. They explained that they have limited resource and many competing demands and gave the impression that they do not see this as a priority.
“I only have a certain amount of resources. I’ve been working with some of these clients for 20 years and it’s just about trust, isn’t it?”
Administrative and Support Service Activities, sole trader
4.3 EU SCCs with the Addendum were used by all larger businesses
EU Standard Contractual Clauses with the Addendum were generally used as standard with clients among larger businesses that participated. The use of Standard Contractual Clauses tended to be routine and well-established and when the UK left the EU, adding the Addendum was felt to be the most straightforward approach to international data transfers.
For some businesses, Standard Contractual Clauses provided assurance even when data adequacy was in place. This was because it was felt that they provided a safety-net and meant that should there be changes in which countries are deemed adequate, there would be no disruptions to processes. Several businesses raised concerns around possible future changes to legislation in the US and EU.
“Politically, it doesn’t help anybody to have adequacy threatened in any way between UK and the EU. It’s the second line of defence, in the event that that does occur, you don’t have to then go through this massive exercise of updating or varying contracts then, because they are already in there.”
Other Service Activities, large business
Perceptions of the impact of the Addendum varied, partly by role. Some DPOs suggested that it was quite onerous, as it was a significant administrative task to oversee. One DPO of a large events company described the process of updating contracts with the Addendum as a huge administrative task with little compliance benefit. He explained it took over a year to update all the contracts and follow up with vendors to ensure that they had received and read the contract updates, and that in some instances, vendors did not provide confirmation of a variation. This created additional work as the compliance team had to keep a record that they do not have this confirmation, or they could be found to be failing to monitor compliance. He was not able to put a cost on the resource used to manage this process, but did explain that within his organisation, they had prioritised this which meant other tasks were de-prioritised. He explained that they assess how likely a regulator is to enforce regulation and use this to inform their prioritisation. However, he was critical over the prospect of penalties for not putting the Addendum in place.
“It is a relatively low risk versus something that is likely to have a substantive detriment to the rights and freedoms of an individual. It still got prioritised as something that needed to be moved forward, and it couldn’t be left as it was before, just with the standard contractual clauses in place.”
Professional, Scientific and Technical Activities, large business
Other DPOs supported this view of SCCs adding little benefit, referring to SCCs as ‘legal fiction’ or data protection ‘lip-service’. They suggested that their business will take on the risk if clients, partners or suppliers did not acknowledge the Addendum because they pick suppliers and partners that help them be commercially successful and do not want to deter them by pushing too hard on compliance.
“We want to work with these people in the future. We don’t want to get a reputation for being difficult.”
Arts, Entertainment and Recreation, large business
Participants in roles other than DPO perceived the Addendum to the SCCs as quite straightforward to implement. They perceived it as a few paragraphs to be inserted into contracts that did not change much. However, this might reflect a lack of understanding of the actual work involved in such a task for a large company with clients and suppliers in a wide range of countries.
One point raised was around DPOs seeing organisations that edit SCCs, not realising that this undermines the legal safeguards they’re designed to provide.
Views on the advantages of EU SCCs with the Addendum were mixed. Some negative views are covered above. Other DPOs spoke positively about how the Addendum was a relatively straightforward solution to still being able to use existing SCCs after the UK left the EU, and that it increased confidence to move operations offshore to cheaper markets.
“I think knowing a company can have faith in a contract and they believe that a person’s data is safe in our hands has definitely helped sell into offshore markets…it’s reassuring.”
Other Service Activities, large business
4.4 IDTAs were not used much by larger businesses because data transfers included EU data
DPOs from larger businesses we interviewed had heard of the IDTA but most did not use it. This was generally because the vast majority of their international data transfers included some EU data, and they found that it is easier to deal with one type of SCC.
“I have too much to do, same as everybody else, not quite enough capacity. So, I just pick the easiest method to remain compliant and move forward. That’s the driver behind it, is the efficiency of it. And there are efficiencies with the UK method, but because they don’t impact Europe, those efficiencies disappear.”
Information and Communication, large business
As a result, they were not familiar with the content of the IDTA and were unable to comment on how it compared to the EU SCCs.
Amongst those DPOs familiar with the detail of IDTAs, views were mixed (although note we interviewed very few DPOs with intimate knowledge of IDTAs).
A few of the DPOs had looked through the IDTA and commented that it offered efficiencies over the EU SCCs because the IDTA is shorter, easier to follow, and the language is simpler.
“The ICO, they tend to use better language in terms of getting across to people who are not lawyers.”
Arts, Entertainment and Recreation, medium business
For example, one DPO was very positive about IDTAs; he liked the focus on the risk of the data rather than the impact of the transfer, which meant for straightforward transfers of data such as email addresses, the process was very quick.
Other DPOs expressed less positive views. Some DPOs being aware of benefits of the IDTA and the TRA compared to the EU SCCs, they chose to stick with EU SCCs. They suggested 2 main reasons for this; one was that EU SCCs were already established and working fine and the second was that their businesses dealt with data transfers that typically included UK and EU data, and therefore, they did not think IDTAs were appropriate.
“The problem with IDTAs is they’re just UK based and it is really rare that I deal with just UK data…because all my data, I’m going to have people from France, from Germany, from Poland…at this present moment, everything is European driven and everything is just the addendum to the SCCs. It minimised my paperwork. That’s it.”
Information and Communication, large business
One DPO who had not used IDTAs provided some feedback on his perception of how the IDTA had been received by the data protection community. He said it is perceived as a burdensome administrative task that is not in line with the level of risk. He described it as a ‘technical compliance requirement versus something that is substantively likely to impact the rights and freedoms of individuals’. He felt that it would have been more efficient for the ICO to take on some of the risk assessment process. He gave an example of data transfers to India, where there is a high volume of UK based businesses undertaking the same risk assessment for certain types of processing task. He thought the ICO could have assessed the level of risk for these tasks and reduced the amount of paperwork for businesses.
“I think there’s an opportunity to drive some of that admin on a central basis, rather than pushing it out to organisations to basically repeat the same task in relation to the same number of processing activities to the same country….It could have thought about being a business enabler by taking on some of that and reaching out to central government for additional funding to support that activity.”
Professional, Scientific and Technical Activities, large business
Another DPO who worked for a large company that organises business conferences said that implementing IDTAs incurred significant costs for the company. He explained that sometimes during the contract negotiation phase, partners do not accept the data transfer clauses because they think they are too strict and as a result they either pull out, which can result in loss of revenue, or it restricts the data that can be transferred, which can also impact revenue.
One of the DPOs was very critical of the lack of guidance from the ICO when the IDTA was introduced. At the time, he was working for a much larger business that had internal lawyers, but they did not feel confident enough to advise on the IDTA. Instead, they consulted an external lawyer at a cost of around £20,000.
4.5 Businesses used data adequacy for transferring data internationally
Among larger businesses, there was high awareness of data adequacy and for some it was the preferred international data transfer tool. One DPO, for example, explained that he would always encourage staff to pick a supplier from a data adequate country when possible. The benefits were perceived to be ease, and confidence in compliance. A few DPOs said they would like to see more adequacy agreements, particularly with countries that the UK is doing a lot of data driven business with such as Australia.
“More adequacy will make everybody’s life much, much easier. Less paperwork, more efficiency.”
Other Service Activities, large business
Similar to Wave 1, awareness of adequacy was low among smaller businesses. When smaller businesses were asked what they understood ‘data adequate’ meant, they either said they did not know or talked about principles of data protection in terms of only storing data that is strictly needed for their business.
“It is that you gather adequate information for a specified purpose. So no more or no less than necessary to achieve the purpose.”
Administrative and Support Service Activities, sole trader
4.6 Binding Corporate Rules perceived as expensive, time-consuming and suited to large multinational businesses
Among most businesses that participated there was a perception that Binding Corporate Rules were more appropriate for very large multinational businesses. There was a perception among some businesses that Binding Corporate Rules required too much effort and were costly and time-consuming. One DPO had previously worked for the ICO so had observed how long they can take to be agreed.
One large supply chain business explained that BCRs were under discussion in their business because it was felt that they might be well-suited to data transfers between their offices in UK and India, which constitutes a large proportion of their data transfers. The participant assumed they had not yet pursued setting them up because their compliance team had other priorities.
“We’re a lean business, so we’re resourced for what we’re doing. We do have a compliance department, but they’ve got enough on their hands making sure we’re compliant with security and health and safety and the like, so it’s one of those things on the to do list.”
Other Service Activities, large business
Another DPO thought that their business was reaching a scale where he thought they would look into BCRs because he thought they would offer commercial value by signalling to potential customers that the business has externally accredited processes that are the best in the industry.
4.7 Costs involved in guidance and training on international data transfers
The smaller businesses we spoke to did not use international data transfer tools. Larger businesses provided mixed feedback on the costs involved in implementing them. Some DPOs were aware of how time-intensive updating the EU SCCs with the Addendum had been, whereas others described it as relatively straightforward.
One large business with a global customer base in over 50 countries explained that they use an external firm of experts who stay up to date with the international legislation. The business buys a certain amount of time from them every year and relies on them to keep the business updated on any changes to legislation and what this means for their processes. They explained that the cost of this advice is around £160,000 per year, which they described as ‘not significant’.
Several DPOs in larger businesses referred to ‘OneTrust’ as a valuable and trustworthy source of information and guidance. They pay an annual fee to have access to a portal that allows them to manage risk and impact assessments and provides guidance on regulations in different countries.
“We use Data Guidance OneTrust as a portal for a lot of research and we’d paid fees to have access and lots of info and research taking statements. Has South Africa got regulations? Does it have oversight mechanisms? We can then put it through our spreadsheets and run an evaluation and see if any of the countries are safe or not.”
Other Service Activities, large business
One large business with offices in 26 countries used a tool called ‘Data Guidance’ produced by OneTrust to help them with a large HR transformation process. Data Guidance provided them with a summary of the data protection laws in different markets to help them plot the data flows across countries. The DPO estimated it would cost between a quarter of a million and a million pounds to implement the new HR system in terms of staff time/loss of earnings due to working on this rather than conducting delivery work. He said that they had not consulted external legal counsel apart from in China because they felt that they could afford to take on some risk related to international data transfers because the risk of financial penalties is low.
“There have been very few fines or very few active actions over international transfer… you see what is probably sensible and proportionate reaction from regulators. They seem very relaxed about things not working as they should and therefore it’s difficult to create justification to spend what would end up being tens of thousands with multiple lawyers, when you don’t see those being challenged in any way, shape or form.”
Information and Communication, large business
One participant was a DPO consultant who had previously worked as a barrister and specialised in data security. He had worked for a range of large businesses across a range of sectors advising them on international data transfers and he felt that large businesses were spending large sums of money on external advice to ensure compliance, and that smaller businesses do not have this resource available. He felt the government or ICO needs to support Small and Medium Enterprises (SMEs) much more effectively to navigate data protection generally, including international data transfers.
“What’s needed is the government or ICO to put together an information platform that’s really clear… to guide SMEs through a series of affordable steps, even points them in the direction of software solutions and doesn’t just dump them with what the rules say, what the risks are, what the penalties could be. You need to hold the hands of SMEs, they really struggle.”
Other Service Activities, micro business
He also observed that businesses’ approaches to international data transfers vary depending on the sector. For example, businesses that operate in sectors where the consequences of a data breach would be far-reaching, such as manufacturers of specialised military equipment, were far more robust in ensuring they have robust international data transfers and systems in place.
5. Businesses’ awareness and use of Transfer Risk Assessments
Chapter summary
This chapter discusses businesses’ awareness and use of Transfer Risk Assessments (TRAs), including the ICO’s TRA.
Larger businesses generally used TRAs and thought they were valuable in identifying risks in how they handle international data transfers. Smaller businesses were not familiar with them, and their reaction tended to be that they did not have the expertise or resources to conduct them.
5.1 Some large businesses used either the ICO TRA, or one developed in-house
DPOs were positive about the value of transfer risk assessments, and some had used the ICO TRA or were familiar with it but had already developed their own TRA in-house. One DPO used the ICO TRA but had transferred it to Excel, and another had developed their own based on the ICO’s that was hosted on ‘OneTrust’ which had the advantage of being digitised. Professionals working in roles adjacent to DPOs, such as IT or Security, were less familiar with them but understood the principles and recognised their importance.
“I think they’re very useful. You run a scenario through those tools, and it just gives you a very quick advice on what you may need to address.”
Professional, Scientific and Technical Activities, large business
One DPO from a large business thought that the ICO TRA could be particularly useful for small and medium businesses that might have less data protection expertise. He thought it was well structured and pragmatic. However, participants from small businesses were not familiar with the ICO TRA, and when shown the ICO TRA were overwhelmed by its length and complexity. Smaller businesses suggested that there are barriers to accessing the TRA including limited resource, data protection not being perceived as a top priority or as relevant to them due to their size, and very limited understanding of data protection regulations.
One participant, who was an IT Director for a large company in the energy and life sciences sector spoke highly of the value of TRAs. The business was structured so that each project had its own project lead, and this individual was responsible for conducting TRAs. He spontaneously mentioned that they use TRAs ‘not as a tick-box exercise but to show technical maturity’. He gave a couple of examples of how valuable TRAs are in reviewing their procedures and flagging areas to be improved, such as ensuring that they had multi-factor authentication (MFA) on all their external systems.
Another DPO working for a charity that holds very sensitive personal data on its clients also viewed TRAs as a crucial tool that have an impact on their decision-making process. However, he acknowledged that they are far more conservative and risk averse than most organisations due to the hugely sensitive nature of the personal data they hold, and the requirements that they hold all data in the UK or EU unless an exemption is approved. He also reflected that for profit-making businesses, it would be much harder to always choose the most secure, compliant suppliers because less compliant suppliers might be significantly cheaper or offer a better service. In addition, he was one of a number of DPOs that thought the ICO was unlikely to fine businesses that are not compliant with regulations on international data transfers.
“I would be very stressed working for an organisation that is profit making because then of course you end up far more in a situation where you say, this is not safe. But if it goes wrong, you know, the fine would be a hundred thousand, the profits will be a million. What shall we choose? Let’s face it, in this country, you’re not going to get big fines unless you really, really screw up. My DPO colleagues in Spain will have it easier because the authority really does fine significantly.”
Human Health and Social Work Activities, large business
Another DPO was quite cynical about the value of risk assessments because he said if a business has chosen to use a supplier, it is highly unlikely that they are not going to use them even if a risk assessment shows that they are high risk.
5.2 Feedback on ICO guidance
Views on the ICO guidance were mixed. DPOs were generally quite positive about the ICO. However, those with less specialist knowledge such as IT Directors were more likely to comment on how complicated and detailed the information is. One IT Director explained it can be quicker to use a third-party website that provides a summary of ICO guidance, however, the risk with this is that it is difficult to know whether the summary is in fact accurate.
“You’re trolling through pages and pages of stuff before you get clarity…you can either go to a third party and get their reading of the situation or you can go on yourself and try and make sense of it…it’s a bit of a minefield to be honest.”
Administrative and Support Service Activities, large business
6. Secondary data analysis of UK Business Data Survey
Chapter summary
This chapter briefly looks at quantitative sources to assess the scale of uptake of IDTAs. The best estimate comes from UKBDS 2024, which found 15% (lower estimate 6%, upper estimate 23%) of businesses in 2024 said they used IDTAs. Triangulating with our primary research suggests this could be an overestimate. There was no statistically significant evidence for changes in the use of other ITTs between introduction and 2024.
The sources reviewed were the UKBDS 2022 and UKBDS 2024 quantitative data tables.
6.1 Methodology
The UKBDS 2022 and UKBDS 2024 [footnote 2] is a nationally representative questionnaire on business use of data. In both years, the survey asked businesses to say if they shared personal data internationally. Those businesses that said they did were asked further questions, including “Does your business use any of the following legal safeguards to transfer personal data to businesses, organisations or people based outside of the UK?”. In 2022, the options were:
-
Standard Contractual Clauses (SCCs)
-
Binding Corporate Rules (BCRs)
-
Adequacy
-
Exceptions for specific circumstances
-
Other
-
None of these
-
Don’t know
-
Prefer not to say
For the 2024 wave, following the introduction of IDTAs, the option
- International Data Transfer Agreement (IDTAs)
was added.
The initial analysis looks simply at the proportion of businesses that said they share personal data internationally, that use each of the tools.
6.2 Findings from UKBDS 2022 and 2024
Table 1 shows the percentage of businesses that shared personal data internationally that said they use which international data transfer tool, 2022 and 2024.
Table 1
| Result | Year | Percentage | Lower estimate | Upper estimate |
|---|---|---|---|---|
| International data transfer agreement (IDTA) | 2022 | - | - | - |
| 2024 | 15% | 6% | 23% | |
| Standard Contractual Clauses (SCCs) | 2022 | 31% | 23% | 39% |
| 2024 | 25% | 14% | 35% | |
| Adequacy | 2022 | 22% | 15% | 29% |
| 2024 | 19% | 9% | 29% | |
| Binding Corporate Rules (BCRs) | 2022 | 9% | 4% | 13% |
| 2024 | 20% | 10% | 30% | |
| Don’t know | 2022 | 13% | 8% | 19% |
| 2024 | 10% | 2% | 17% | |
| Exceptions for specific circumstances | 2022 | 8% | 3% | 12% |
| 2024 | 15% | 6% | 23% | |
| None of these | 2022 | 39% | 31% | 47% |
| 2024 | 49% | 37% | 61% | |
| Other | 2022 | 3% | 0% | 6% |
| 2024 | 1% | 0% | 4% | |
| Prefer not to say | 2022 | 1% | 0% | 3% |
| 2024 | - | - | - |
Source, UKBDS 2022 and UKBDS 2024 [footnote 2].
Even though there are small differences between 2022 and 2024, none were statistically significant. This might be for a few different reasons:
-
genuine shifts were relatively small, and the number of respondents in this section of the UKBDS resulted in relatively large error margins (that is, the difference between the lower and upper estimates)
-
there was genuinely no change (except for IDTAs following adoption)
Similarly, more people responded ‘none of these [ITTs]’ in 2024 than responded with any other individual ITT. But there are not statistically significant differences between use of IDTA and any other individual ITT in 2024.
Looking at changes between 2022 and 2024, there have been no significant changes. We can say with 95% confidence that between 2022 and 2024, the uptake of any individual ITT has not gone up or down by around 20% of businesses (because this scale of change would have been significantly different).
6.3 Triangulating qualitative and quantitative findings
IDTAs and other ITTs are highly technical, and awareness of ITTs was low - except for people who were Data Protection Officers.
During both the recruitment phase and the interviews themselves, we found some participants said their business used IDTAs, but when probed in interview this was actually a misunderstanding and they didn’t. Previous waves of the UKBDS have also noted a discrepancy between the relatively high stated uptake of some ITTs, and the reality. This lack of awareness is perhaps especially true for when the respondent wasn’t a DPO, which is most likely because a DPO was not employed by the business; this is mostly smaller businesses.
7. Conclusion
This research has investigated the views businesses have about IDTAs and other international data transfer tools. From this, we can draw out the following wider points about data transfers internationally.
IDTAs were designed to be simpler to understand and use than SCCs, and this research found this has been somewhat achieved. Businesses that said they knew about or had used IDTAs felt they were shorter and simpler than EU SCCs. This simplification compared to EU SCCs is part of what was intended when IDTAs were introduced.
However, this research has not found evidence that IDTAs have been taken up widely, nor evidence that they have replaced EU SCCs and the EU SCC addendum, or other international data transfer tools.
There are several explanatory factors uncovered by this research that are not related to the construction of the IDTA itself that have deterred businesses from adopting the IDTA. These factors include businesses:
-
that operate in the EU having greater compliance requirements if they use IDTAs and EU SCCs, compared to the apparent preferred option, of using EU SCCs and the EU SCC addendum
-
simply not knowing about IDTAs, even ones where they have experienced DPOs
-
especially smaller businesses, having low awareness of data protection law in general, and therefore the introduction of IDTAs in practice has had no effect on them
One implication of this lack of awareness is that further attempts to change data protection law should take into account raising awareness more explicitly, particularly to impact behaviour of smaller businesses.
This and other qualitative research has found routes other than changes to the legal mechanism itself that might lead to these changes.
Smaller businesses have said that large businesses, and IT and legal service providers, are deferred to by smaller businesses, as they are assumed to have done their due diligence when choosing or recommending a process for international data transfers.
This implies that an action to ensure compliance with ITTs on businesses that provide those services, and businesses that sub-contract work, may be more effective than only expecting compliance from smaller businesses.
The professional training of DPOs rather than the size of the organisation they work for may be driving familiarity, and more considered use of, ITTs. Data Protection Officers demonstrated more in-depth knowledge than participants that were not DPOs, even when the participant was in an apparently similar position and organisation.
Across the range of areas covered in this research some participants’ decisions on the level of compliance activities they should undertake is driven by the risk of a compliance check and the magnitude of the associated punishment in the event of an error. This may have an impact on which levers are most effective at improving compliance with data protection laws. DPOs commented that they would like the ICO to implement more fines as this would help them drive compliance within their businesses.
The current political and economic climates may be limiting the benefits adequacy decisions have to businesses. Some businesses view adequacy decisions as useful and efficient, but others view them as an ITT that is subject to change over a short time frame due to political and economic uncertainty. As such, they put in place other ITTs (EU SCCs or IDTAs) even when they could rely simply on adequacy for data transfer, as this builds resilience to their operations.
Finding a suitable balance between comprehensiveness and usability may be crucial when designing products such as the ICO’s Transfer Risk Assessment (TRA) tool. The introduction of the ICO’s TRA tool has had a positive impact on some businesses, but others were not aware of them. Businesses that used the tool or used it to inform their own processes found the tool useful. Smaller businesses that were unaware found, when it was shown to them, the length of the tool overwhelming.
This research also highlights evidence gaps that remain.
Surveys like UKBDS, where they’re exploring highly technical topics such as ITTs, have limitations. Ascertaining the exact extent of the use of IDTAs might require further research. Previous waves of the UKBDS have also noted the discrepancy between stated ITT use and the likely true scale. Qualitative studies such as this one allow us to go in more depth and help complement the picture we have of limited use of these tools. So the scale of uptake of IDTAs remains an evidence gap.
This research interviewed people with responsibility for how data is used and DPOs in businesses. There continue to be evidence gaps about the use of data in public and charitable organisations, and the views of other professionals regarding data protection law, specifically lawyers.
Annex 1: Interview details
Participant sample
The final composition of the research sample is outlined below.
Fifteen qualitative in-depth interviews were conducted with UK businesses between February and March 2025. Interviews with businesses were conducted via Microsoft Teams or telephone and lasted between 45 to 60 minutes each.
Table 2 shows business sector of participating businesses:
| Business sector | Interviews completed |
|---|---|
| Wholesale And Retail Trade; Repair of Motor Vehicles and Motorcycles | 1 |
| Information And Communication | 2 |
| Professional, Scientific and Technical Activities | 4 |
| Administrative And Support Service Activities | 3 |
| Arts, Entertainment and Recreation | 2 |
| Other Service Activities | 3 |
| Business size | Interviews completed |
|---|---|
| Zero – Sole trader | 1 |
| Micro (1 to 9 employees) | 1 |
| Small (10 to 49 employees) | 2 |
| Medium (50 to 249 employees) | 2 |
| Large (more than 250 employees) | 9 |
Depth Interview Topic Guide
Introduction
Introduce yourself and Ipsos: My name is MODERATOR TO ADD NAME and I am a researcher working for Ipsos, an independent research organisation.
Explain research: The Department for Science, Innovation and Technology (DSIT) has commissioned Ipsos to carry out this study which involves talking with UK businesses to get a better understanding of why and how they transfer data internationally.
The interview: The nature of the research is exploratory, and the discussion will be informal. There are no right or wrong answers.
Explain confidentiality: The contents of our discussion are completely confidential, and all findings are reported on anonymously. This means that no identifiable information will be shared with the Department for Science, Innovation and Technology or any other parties.
Explain payment for participation. You will receive £100 as either a bank transfer or charity donation as a thank you for your time. (ONLY IF THEY ASK: Let participants know that it takes a maximum of 8 working days for them to receive the incentive.)
Explain voluntary participation: If you wish to end the discussion at any time, please let me know. Your participation in this research is voluntary.
Length of the interview: This discussion will last a maximum of 60 minutes.
Questions: Do you have any questions before we begin?
Consent to audio record: I would like to record our discussion as this helps with making notes and analysis? Recordings are used only for analysis purposes and are stored securely and deleted 12 months after the interview takes place.
MODERATOR TO TURN ON RECORDING
GDPR added consent (MODERATOR TO ASK ONCE RECORDER IS ON)
Ipsos’s legal basis for processing your data is your consent to take part in this research. Your participation is voluntary. You can withdraw your consent for your data to be used at any point before, during or after the interview and before data is anonymised at the end of June 2025.
Can I check that you are happy to proceed?
Business background
To start our discussion, I would like to spend a few minutes understanding your business in a bit more detail.
Firstly, please could you briefly describe your business?
How long has the business been operating?
What does the business do?
How would you describe the size and structure of the business?
Could you briefly describe your role within the business?
How long have you been working in this business?
What are your responsibilities?
Could you briefly describe what types of data you share internationally? MODERATOR: USE STIMULUS MATERIAL TO PROMPT ON TYPES OF DATA SHARED.
And why do you share data internationally? Probe on: facilitating core functions, outsourcing processes, buying services, selling products, other branches of company
For how long has your business been transferring data internationally?
To which countries does your business transfer data? MODERATOR TO MAKE NOTE OF THIS AND PROBE ON COUNTRIES LISTED IN THE RESPONDENT PROFILE. ALSO PROBE ON WHETHER BUSINESS HAS STARTED TRANSFERRING DATA TO THESE COUNTRIES SINCE MARCH 2022 WHEN IDTA CAME INTO FORCE
Understanding businesses and the data they share internationally
I’d now like to ask you about how you transfer data internationally. This isn’t a test on how you navigate compliance and international data transfer laws. As a reminder, we are not able to pass on anything identifiable you say to anyone outside of our organisation, including to DSIT.
We’re going to discuss the process by which you transfer data internationally, whether and how this is written into contracts, and any challenges you have with how you transfer data.
What was the most recent time your business started to send a new type of data internationally? Prompts if needed:
For example…
-
sending data to a new country for the first time, or
-
expanding a service so needed to share a new category of data with a country that other data was already shared with, or perhaps a business had a client that was in a country they’d not worked with before
Could you talk us through the process your organisation went through to set this up. PROBE ON: Steps taken to understand business need for sharing data, agree process with party sending or receiving data, method of transfer (Secure File Transfer Protocol delivery, email, hardware), level of security and encryption, steps taken to ensure data is or has been held securely; how similar was this to other processes/international data transfers your organisation has done in the past?
How did your organisation come to a decision on this process? PROBE ON:
How easy/hard was it to implement? Did any new processes need to come into place? Which actors within/ external to the organisation were involved?
Talk to me about any guidance on international data transfers you used. Probe on:
(if guidance was a document or notes)
How did you locate the guidance? Did you know about it already?
What did you think of the guidance? Simple/ easy/ useful? Complicated/ tricky/ irrelevant?
Do you now have the knowledge internal to the organisation?
Assuming no changes to the law, would you consult [this source of guidance] again in a similar circumstance in the future
(if guidance was a person or legal advice)
How did you get these people/ this person to help you?
Relevance/ usefulness of advice
Do you now have the knowledge internal to the organisation?
Assuming no changes to the law, would you consult [this source of guidance] again in a similar circumstance in the future
Have you had to change or adapt anything put in place originally? And if so, can you tell me about these changes?
Thinking about what you’ve talked about [staff time, technical costs, advice, any legal costs as appropriate] what costs to your business were there? (prompts about extra infrastructure, extra hardware, extra software, extra employee time, extra externally contractor/ secondee time, extra lawyers, consultants, extra external DPOs, and unquantifiable stuff like potential losses due to differences in how other organisations approach the rules)
Would you expect these costs to be similar for other international data transfers? Prompt on how they might be different.
Do you foresee any additional costs now that this is set up? Prompt on running costs, check in points
Legal mechanisms for international data transfers
I’d now like to ask you about standard data protection clauses. These are sections of text inserted into contracts which provide appropriate data protection safeguards under UK GDPR to personal data being sent internationally to a non-adequate country. The 2 most common examples in the UK are International Data Transfer Agreements (IDTAs) and Standard Contractual Clauses (SCCs).
Before we continue can I check you’re comfortable with those terms – standard data protection clauses; personal data; adequate/non-adequate country? MODERATOR: Refer to for-reference definitions above if not.
I’d now like to ask you some questions on the UK’s standard data protection clauses, International Data Transfer Agreements, also known as IDTAs, which replaced SCCs in the United Kingdom in March 2022.
Have you ever heard of IDTAs before now?
[If yes] can you tell me what you know about International Data Transfer Agreements? Prompts: What do you understand them to be?
MODERATOR READ [if needed]: IDTAs are clauses inserted into contracts which involve international data sharing. They’re appropriate when sharing personal data with a country outside the UK that does not have an ‘adequacy decision’ from the UK government. Data adequacy is granted to countries which provide high standards of protection for personal data. IDTAs are used when the country’s data protection laws are sufficiently similar for businesses to be protected from risk if any third-party access to the personal data occurs.
Are IDTAs used in your organisation that you are aware of?
MODERATOR: IF HEARD OF IDTAS AND USING THEM ASK:
Can you tell me about them?
Why have you decided to use IDTAs? How did you make this decision?
Has the introduction of IDTAs impacted how your organisation shares data beyond implementing the IDTA itself? Prompt on whether it has impacted on processes and procedures to ensure personal data is safe or perceived as a ‘tick box’ exercise, changes in confidence sharing data/knowledge they are compliant, is it something that has been communicated more widely across business (e.g. shared with wider compliance/legal/data teams or even more broadly)?
Tell me about implementing IDTAs. Prompt on:
Any challenges
What could have been improved. Why?
Did you use guidance from e.g. ICO, trade body, lawyers? Prompt on
How did you locate them?
Relevance?
Do you now have the knowledge internal to the organisation?
Assuming no changes to the law, would you consult [this source of guidance] again in a similar circumstance in the future
Tell me about the benefits of IDTAs. Prompt on ease of putting in place, easier to understand/put in place than SCCs, increased data-sharing
What costs were there in setting up the IDTA? Prompt on staff time, legal expertise, disruptions of services, changes in internal processes, internal training, other disruptions; and how long these went on for; do you expect any future costs, change in how the data is transferred? Probe explicitly about any other costs of IDTAs
MODERATOR: IF HEARD OF THEM, BUT NOT CURRENTLY USING THEM:
Would you envisage using any Standard Data Protection Clauses in the future? Why / why not?
What are the main reasons why you don’t use them? How could you overcome these? What support do you require?
MODERATOR: IF NOT HEARD OF IDTAS:
From what you’ve heard today, would you envisage using IDTAs in future? In what way? What costs do you expect? What benefits are you hoping for?
ASK ALL
I’d now like to talk about European Union Standard Contractual Clauses (EU SCCs) and the IDT Addendum to EU SCCs.
The International Data Transfer (IDT) Addendum to EU Standard Contractual Clauses (SCCs) allows EU SCCs to be adapted for compliance with UK regulations in certain circumstances and provides guidance on how these should be applied.
Have you heard of either EU SCCs or the IDT Addendum to EU SCCs before now?
Can you tell me what you know about EU SCCs or the IDT Addendum to EU SCCs?
PROBE ON What do you understand them to be?
Are EU SCCs used in your organisation? What do you think of them?
Is the IDT Addendum to EU SCCs used in your organisation that you are aware of?
MODERATOR: IF BUSINESSES USED IDT ADDENDUM TO EU SCCS:
Why have you decided to use the IDT Addendum to EU SCCs? How did you make this decision?
MODERATOR: IF USE IDTAs too: Why does your organisation use the IDT Addendum to EU SCCs alongside UK IDTAs?
MODERATOR: If does not use UK IDTAs: Why does your organisation use EU SCCs instead of the IDTA?
Has the introduction of the IDT Addendum to EU SCCs impacted how your organisation shares data beyond implementing the Addendum itself? Prompt on whether it has impacted on processes and procedures to ensure personal data is safe or perceived as a ‘tick box’ exercise, changes in confidence sharing data/knowledge they are compliant, is it something that has been communicated more widely across business (e.g. shared with wider compliance/legal/data teams or even more broadly)?
Tell me about implementing the IDT Addendum to EU SCCs. Prompt on any challenges, what could have been improved. Why?
Did you use guidance from e.g. ICO, trade bodies, lawyers when implementing them? Who provided it? What did you think of it?
Are there any benefits to your organisation [beyond those mentioned above on impacts] of the IDT Addendum to EU SCCs? E.g.
-
Greater confidence in compliance
-
Don’t need to change much to remain compliant
What costs were there setting up the IDT Addendum to EU SCCs? Prompt on staff time, legal expertise, disruption of services, changes in internal processes, internal training, other disruptions; and how long these went on for; and do you expect any future costs or changes in how data is transferred?
Are there any other costs of the IDT Addendum to EU SCCs
MODERATOR: IF heard of them, but not using them
Would you envisage using the IDT Addendum to EU SCCs to transfer data in future? Why/not?
What are the main reasons why you don’t use them? How could you overcome these? What support do you require?
MODERATOR: IF NOT HEARD OF THEM
From what you’ve heard today, would you envisage using the IDT Addendum to EU SCCs in future? In what way? What costs might you expect [people, training, legal advise, change in contracts or other systems]? What benefits are you hoping for?
ASK ALL
Now we’d like to ask about the other legal mechanisms you might have used for international data transfers. This includes Data Adequacy, Binding Corporate Rules and others.
Have you heard of data adequacy decisions and adequate countries/territories?
Can you tell me about data adequacy decisions?
IF NEEDED: Data Adequacy: A status granted by the UK to a country, territory, or international organisation, or in a particular sector in a country or territory which has been deemed to provide ‘adequate’ protection to peoples’ rights and freedom about their personal data.
Prompts on what do you understand them to be?
Does your organisation make use of adequacy decisions where possible that you are aware of? Or does your organisation use other transfer mechanisms when transferring to countries where adequacy decisions are in place?
How did your organisation come to a decision on whether to use adequacy decisions or another legal mechanism? Prompt on why have you used these?
MODERATOR: ASK IF USING DATA ADEQUACY DECISIONS
Did you use guidance from e.g. ICO, Trade bodies or lawyers when using them? Who provided it? What did you think of it?
Has the use of data adequacy decisions impacted how your organisation shares data beyond using data adequacy decisions? Prompt on changes in confidence sharing data/knowledge they are compliant, is it something that has been communicated more widely across business (e.g. shared with wider compliance/legal/data teams or even more broadly)?
What are the benefits of using adequacy decisions?
Ease of data transfer, encourages more data transfer, confidence in compliance
What costs have you incurred from using data adequacy decisions? Prompt on cost of familiarising organisation with data adequacy decisions such as staff time, legal expertise, changes in internal processes, internal training, other disruptions; and how long these went on for; and do you expect any future costs?
Are there any other costs of using data adequacy decisions?
MODERATOR: ASK IF HEARD OF THEM, BUT NOT USING THEM
Would you envisage using data adequacy decisions in future? Why/not?
What are the main barriers to using them? How could you overcome these? What support do you require?
Probe explicitly on other transfer mechanisms used to transfer data to adequate countries/territories
MODERATOR: ASK IF NOT HEARD OF THEM
From what you’ve heard today, would you envisage using data adequacy decisions in future? In what way? What benefit are you hoping for? What costs do you expect?
I’d now like to ask about Binding Corporate Rules (BCRs). Have you heard about Binding Corporate Rules?
IF NEEDED: BCRs are designed to provide appropriate safeguards for making internal or intragroup restricted transfers, and are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures, or professional partnerships.
Does your organisation make use of BCRs?
[appropriate routing]
How did your organisation come to a decision on whether to use BCRs or another legal mechanism? Prompt on why have you used these?
MODERATOR: ASK IF USING BCRs
Did you use guidance from e.g. ICO, Trade bodies or lawyers when using them? What did you think of it?
Has the use of BCRs impacted how your organisation shares data beyond using BCRs? Prompt on changes in confidence sharing data/knowledge they are compliant, is it something that has been communicated more widely across business (e.g. shared with wider compliance/legal/data teams or even more broadly)?
What are the benefits of using BCRs?
Ease of data transfer, encourages more data transfer, confidence in compliance
What costs have you incurred from using BCRs? Prompt on cost of familiarising organisation with BCRs such as staff time, legal expertise, changes in internal processes, internal training, other disruptions; and how long these went on for; and do you expect any future costs?
Are there any other costs of using data adequacy decisions?
MODERATOR: ASK IF HEARD OF THEM, BUT NOT USING THEM
Would you envisage using Binding Corporate Rules in future? Why/not?
What are the main reasons why you don’t use them? How could you overcome these? What support do you require?
MODERATOR: ASK IF NOT HEARD OF THEM
From what you’ve heard today, would you envisage using Binding Corporate Rules in future? In what way? What benefit are you hoping for? What costs do you expect?
Are there any other mechanisms you use for transferring data internationally? MODERATORS: e.g. There is an exemption for some types of immigration data.
MODERATOR: By end of this section make sure have gathered info on how business used international data transfer tools, why they choose those tools, the benefits and challenges. And if they don’t use the tools, how they handle data transfers and why they aren’t using the tools
Transfer Risk Assessment
ASK ALL
I’d now like to ask about the Transfer Risk Assessments (TRA) and the ICO’s Transfer Risk Assessment Tool also known as ICO’s TRA Tool.
Have you heard of Transfer Risk Assessments?
**IF YES, GO TO A; IF NO, GO TO B **
A Can you tell me about Transfer Risk Assessments? Prompt on what do you understand them to be?
Has your organisation conducted a Transfer Risk Assessment that you are aware of? Was it the ICO TRA tool, or an in-house or some other TRA tool?
IF IT WAS THE ICO TRA TOOL, GO STRAIGHT TO “Why have you decided to use the ICO TRA tool” QUESTION BELOW
MODERATOR: ASK IF HEARD OF THEM, CONDUCTING THEM AND IT WASN’T THE ICO TRA TOOL
How was the experience of conducting a Transfer Risk Assessment? What went well? What could be improved?
What were the benefits of conducting a Transfer Risk Assessment?
Have you faced any issues when conducting Transfer Risk Assessments?
MODERATOR: ASK IF HEARD OF THEM BUT NOT CONDUCTING THEM
Would you envisage conducting Transfer Risk Assessments in future?
What are the potential benefits of conducting a Transfer Risk Assessment?
Is there anything stopping you from using Transfer Risk Assessments?
B MODERATOR: ASK IF NOT HEARD OF THEM UNTIL INTERVIEW:
MODERATOR READ OUT: The purpose of a Transfer Risks Assessment, or TRA, is to ensure that when personal data is transferred outside of the UK to a third country, the protections offered under the GDPR is maintained for the lifetime of the transfer, by identifying any risks and mitigating those risks where necessary.
From what you’ve heard today, would you envisage using TRAs in future? In what way? What benefit are you hoping for? What costs do you expect?
ICO’s Transfer Risk Assessment (TRA) Tool
Have you heard of the ICO’s TRA tool? Can you tell me about the ICO’s TRA tool?
[this is a check as already covered in earlier question] Have you used the ICO’s TRA tool?
MODERATOR: IF YES ASK
Why have you decided to use the ICO TRA tool? How did you make this decision? What did you think of it?
Has the TRA tool contributed to your organisation’s decision making? Prompt on whether it has impacted on processes and procedures to ensure personal data is safe or perceived as a ‘tick box’ exercise, changes in confidence sharing data/knowledge they are compliant, is it something that has been communicated more widely across business (e.g. shared with wider compliance/legal/data teams or even more broadly)?
Has the ICO TRA tool impacted your organisations processes for sharing data abroad?
[check this isn’t a duplicate question before asking] Are there any benefits of using the ICO TRA tool?
How many transfers has your organisation used the tool for?
[check this isn’t a duplicate question before asking] What costs have you incurred from using the ICO’s TRA tool? Prompt on staff time, legal expertise, disruption of services, changes in internal processes, internal training, other disruptions; and how long these went on for; and do you expect any future costs or changes in how data is transferred?
Are there any other costs of using the ICO TRA tool?
[check this isn’t a duplicate question before asking] How could the TRA tool better support your organisations processes for sharing data abroad?
MODERATOR: IF HEARD OF IT, BUT NOT USING IT
Would you envisage using the ICO’s TRA tool in future? Why/not? Do you use another approach to TRAs (e.g. the approach taken by the European Data Protection Board - This involves looking at the safeguards in place about third party access to the information, in particular by governments. Those safeguards do not need to be identical to those in the UK, but must be sufficiently similar)?
What are the main reasons why you don’t use the ICO’s TRA tool? How could you overcome these? What support do you require?
MODERATOR: IF NOT HEARD OF IT
From what you’ve heard today, would you envisage using the ICO’s TRA tool in future? In what way? How will it benefit your business? What costs do you expect?
Wrap-up
Is there anything you would like to feed back to the Department for Science, Innovation and Technology or the Information Commissioner’s Office about what we have discussed today?
Is there anything else you’d like to mention that we haven’t had a chance to discuss?
The Department for Science, Innovation and Technology may want to do some follow-up research on this subject in the future. Would you be happy to be contacted by DSIT / Ipsos for future research?
INCENTIVE: Thank participant and remind them of confidentiality. Explain that they can get in touch if they have any further comments or questions about the research. Remind them of the £100 bank transfer or charity donation thank you from Ipsos, as an appreciation for their time and contribution to the research. ONLY IF THEY ASK: (Let participants know that it takes a maximum of 8 working days for them to receive the incentive.)
Annex 2: Glossary and abbreviations
This report uses terminology and abbreviations that are explained below.
| Term | Definition |
|---|---|
| Article 46 transfer mechanisms | Appropriate ‘legal safeguards’ listed in Article 46 of UK GDPR. Examples are the International Data Transfer Agreement (IDTA), the Addendum to the EU SCCs and Binding Corporate Rules. |
| Artificial Intelligence (AI) | Artificial intelligence (AI) refers to computer systems capable of performing complex tasks that historically only a human could do, such as reasoning, making decisions, or solving problems. |
| Binding Corporate Rules (BCRs) | Binding Corporate Rules (BCRs) are designed to provide appropriate safeguards for making internal or intragroup restricted transfers. They are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures, or professional partnerships. |
| Cloud | The cloud refers to servers that are accessed over the Internet, and the software and databases that run on those servers. Cloud servers are in data centres all over the world. By using cloud computing, users and businesses do not have to manage physical servers themselves or run software applications on their own machines. |
| Data ‘adequacy’ | Data ‘adequacy’ is a status granted by the UK to countries which provide high standards of protection for personal data. |
| Data Protection Officer (DPO) | A DPO’s role is to ensure that their organisation processes the personal data of its staff, customers, providers or any other individuals in compliance with the applicable data protection rules. |
| Department for Science, Innovation and Technology (DSIT) | The Department for Science, Innovation and Technology (DSIT) is responsible for helping to encourage, develop and manage the UK’s scientific, research, and technological outputs. DSIT is also responsible for managing the necessary physical and digital infrastructure and regulation to support the British economy, UK public services, national security, and wider UK Government priorities. |
| European Union (EU) | The EU countries are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden. |
| ICO Transfer Risk Assessment Tool | A template document with questions and guidance that sets out the Information Commissioner’s Office’s (ICO’s) approach to carry out a Transfer Risk Assessment. |
| International Data Transfer Addendum to the EU SCCs | The addendum allows the EU SCCs to be adapted for compliance with UK regulations in certain circumstances and guidance on how these should be applied. |
| Large business | Business with more than 250 employees. |
| Larger businesses | This refers to medium and large businesses with more than 49 employees. |
| Medium business | Business with 50 to 249 employees. |
| Micro business | Business with 1 to 9 employees. |
| Restricted Transfer | A transfer of personal data to a receiver outside of the UK. One way to comply with UK GDPR when making a restricted transfer is to apply an Article 46 transfer mechanism. You may also make a restricted transfer if the receiver is in a third country or territory, or is an international organisation, or in a particular sector in a country or territory covered by UK adequacy regulations. |
| Secure File Transfer Protocol (SFTP) | Secure File Transfer Protocol (SFTP) is a network protocol for securely accessing, transferring and managing large files and sensitive data. |
| Sole trader | A sole trader is a type of business. A sole trader involves one person who owns and operates the business. |
| Small business | Business with 10 to 49 employees. |
| Standard Contractual Clauses (SCCs) | Standard Contractual Clauses are clauses inserted into contracts which provide appropriate data protection safeguards under General Data Protection Regulation (GDPR) to personal data being sent internationally to a non-adequate country. |
| Transfer Risk Assessments | An assessment to ensure that, in the specific circumstances of a restricted transfer, the Article 46 mechanism will provide appropriate safeguards, and effective and enforceable rights for people. |
| Two-factor authentication | Two-factor authentication (2FA), or multi-factor authentication (MFA) is an electronic authentication method in which a user is granted access to a network or application only after successfully presenting 2 or more pieces of evidence to an authentication mechanism (for example, a password and a one-time passcode). |
| UK Business Data Survey (UKBDS) | The UK Business Data Survey (UKBDS) is an official statistics publication that has been produced to the standards set out in the Code of Practice for Statistics. It helps the government understand the role and importance of personal and non-personal data in UK businesses, domestic and international transfers of data, and activities and opinions relating to data protection legislation and policy. |
| UK General Data Protection Regulation (GDPR) | UK General Data Protection Regulation (GDPR) is a law that sets guidelines for the collection and processing of personal information from individuals. UK GDPR came into effect in May 2018. Participants referred to UK GDPR as GDPR in interviews. |
| Virtual Private Network (VPN) | A Virtual Private Network (VPN) is an encrypted connection over the Internet from a device to a network. The encrypted connection helps ensure that sensitive data is safely transmitted. It prevents unauthorised people from listening in on the traffic and allows the user to conduct work remotely. Virtual Private Network technology is widely used in business environments. |
Our standards and accreditations
Ipsos’ standards and accreditations provide our clients with the peace of mind that they can always depend on us to deliver reliable, sustainable findings. Our focus on quality and continuous improvement means we have embedded a “right first time” approach throughout our organisation.
ISO 20252
This is the international market research specific standard that supersedes BS 7911/MRQSA and incorporates IQCS (Interviewer Quality Control Scheme). It covers the 5 stages of a Market Research project. Ipsos MORI was the first company in the world to gain this accreditation.
ISO 27001
This is the international standard for information security designed to ensure the selection of adequate and proportionate security controls. Ipsos MORI was the first research company in the UK to be awarded this in August 2008.
ISO 9001
This is the international general company standard with a focus on continual improvement through quality management systems. In 1994, we became one of the early adopters of the ISO 9001 business standard.
Market Research Society (MRS) Company Partnership
By being an MRS Company Partner, Ipsos MORI endorses and supports the core MRS brand values of professionalism, research excellence and business effectiveness, and commits to comply with the MRS Code of Conduct throughout the organisation.
Data Protection Act 2018
Ipsos MORI is required to comply with the Data Protection Act 2018. It covers the processing of personal data and the protection of privacy.
HMG Cyber Essentials
This is a government-backed scheme and a key deliverable of the UK’s National Cyber Security Programme. Ipsos was assessment-validated for Cyber Essentials certification in 2016. Cyber Essentials defines a set of controls which, when properly implemented, provide organisations with basic protection from the most prevalent forms of threat coming from the internet.
Fair Data
Ipsos is signed up as a “Fair Data” company, agreeing to adhere to 10 core principles. The principles support and complement other standards such as ISOs, and the requirements of Data Protection legislation.