UK-US Data Bridge: What Small Businesses Need To Know

byAlex Solo2 November 20258 min read

Contracts Software & IT Regulatory Compliance Data & Privacy

If you work with US-based tools, service providers or customers, you’re probably moving some personal data across borders. Since the end of Privacy Shield, that’s felt complicated. The good news is the UK-US Data Bridge is now up and running, making certain transfers to the United States simpler under UK GDPR.

In this guide, we’ll explain what the UK-US Data Bridge is, when you can rely on it, and the practical steps to update your contracts and policies. Our aim is to help you transfer data lawfully and confidently, without the jargon.

What Is The UK-US Data Bridge?

The UK-US Data Bridge is the UK’s “adequacy” arrangement for personal data transfers to the US. It’s the UK extension to the EU-US Data Privacy Framework (DPF). In simple terms, it allows UK organisations to transfer personal data to certain US organisations without needing Standard Contractual Clauses (SCCs) or a transfer risk assessment (TRA), provided specific conditions are met.

Key points to know:

It only applies to US organisations that are certified under the DPF and have opted into the “UK Extension.”
The UK government has assessed that US organisations in the framework provide an adequate level of protection for UK personal data, subject to the DPF’s rules and redress mechanisms.
It sits alongside other transfer mechanisms (like SCCs) - it doesn’t replace them. You can keep using your existing approach if you prefer.

From a UK GDPR perspective (Articles 44–49), the Data Bridge is a recognised pathway that can save you paperwork, reduce transfer risk assessment burdens and speed up vendor onboarding - provided you check your US counterpart’s certification and keep your documentation in order.

When Can Your Business Use The UK-US Data Bridge?

You can rely on the UK-US Data Bridge when all of the following are true:

Your transfer is a “restricted transfer” under UK GDPR - i.e., you’re sending personal data from the UK to a recipient in the US.
The US recipient is certified to the DPF and has opted into the UK Extension (check the official DPF list and the scope of their certification).
The data you’re sending is covered by the recipient’s certification (watch for sectoral exclusions and the organisation’s declared processing activities).

There are important eligibility limits. The DPF is administered by the US Department of Commerce and enforced primarily by the FTC and Department of Transportation. Certain US entities outside those regulators’ jurisdiction (for example, some banking, telecoms or not‑for‑profit entities) can’t participate. If your US recipient can’t be certified, you’ll need another mechanism (typically SCCs plus a TRA).

Special category data (like health data) and criminal offence data can still be transferred under the bridge, but you must apply UK GDPR’s rules for sensitive data. Under the DPF, “sensitive” categories carry extra protections - be clear in your instructions and contracts when sensitive data is involved.

Step-By-Step: How To Transfer Data To The US Under The Bridge

1) Map Your Transfers

List the US tools, vendors and affiliates that receive UK personal data (think CRMs, email marketing, analytics, cloud storage, AI tools and support providers). For each flow, note what data is sent, why you need it and whether it includes special category data.

2) Check Certification

For each US recipient, search the DPF public list to confirm they are certified and have opted into the UK Extension. Record the certification date, services covered and any limitations the organisation has declared. Re-check this annually (or more often if your risk profile is higher).

3) Update Your Legal Basis And Notices

Make sure you have a valid UK GDPR legal basis for the processing and the transfer. Then update your privacy notice to explain the international transfer and safeguard relied on. If you don’t yet have a clear, user‑friendly policy, it’s a good time to put a compliant Privacy Policy in place that reflects your current data flows.

4) Refresh Your Contracts

Where you are the controller and the US vendor processes personal data for you, ensure you have a robust Data Processing Agreement that sets out instructions, security requirements, assistance with data subject rights and deletion on termination. If you share data with another controller, consider a Data Sharing Agreement to allocate responsibilities and transparency obligations.

5) Keep Records Of Your Decision

Document why the bridge applies (e.g., recipient’s certification details, the services covered, what data flows are in scope). Keep this with your Records of Processing Activities and update it if your vendor changes scope or loses certification.

6) Build A Back-Up Plan

If your US partner lets their certification lapse, you’ll need to switch promptly to another mechanism (often SCCs). Flag key suppliers for quarterly checks and agree a contractual obligation on the vendor to maintain certification and notify you of any changes.

7) Align Your Operations

Make sure your operational processes can handle UK GDPR rights and retention rules post-transfer. For instance, ensure your team can meet subject access request deadlines and apply appropriate deletion schedules for personal data in US systems. If you need to remove data, confirm your vendor supports timely, auditable deletion - our guide to data deletion explains how this fits under UK GDPR.

Do You Still Need Contracts And Other Safeguards?

Yes. The Data Bridge simplifies the “international transfer” test, but it doesn’t remove your core UK GDPR duties. You should still:

Use a controller–processor Data Processing Agreement when a US vendor processes personal data for you.
Allocate responsibilities with a Data Sharing Agreement when you share data with another controller (including partners and affiliates).
Assess vendor security, sub‑processors, breach history and support for data subject rights.
Keep your privacy information accurate and accessible (especially your lawful bases, retention and international transfers).

Also remember: the bridge doesn’t override sector‑specific obligations. If you handle children’s data, health data, or financial data, there may be extra rules to meet. And if you use popular cloud or collaboration tools, check how they handle UK data in practice - our note on Google Drive and GDPR outlines the type of diligence to consider across similar platforms.

If you’re experimenting with AI or analytics tools that call US-hosted APIs, it’s wise to review privacy settings, enterprise terms and data localisation options. Many organisations can be configured to avoid sending special category data, or to pseudonymise inputs. If you’re unsure, our practical guidance on using AI tools under GDPR sets out sensible guardrails for teams.

Update Your Policies And Internal Processes

The bridge changes your transfer mechanism, so your paperwork should reflect that. Focus on:

Privacy Notices And Customer Comms

Make sure your Privacy Policy clearly states that you transfer personal data to the US under the UK-US Data Bridge (where applicable), names the types of recipients and explains how individuals can seek redress. Keep the language plain and consistent across your website, app and customer onboarding materials.

Cookies And Tracking

If you use US-based analytics or marketing tools, check your consent banner and configuration. You should only drop non‑essential cookies with consent and be transparent about any US recipients in your privacy information. Our guide to cookie banners runs through practical steps that SMEs can implement quickly.

Data Subject Rights And Retention

Ensure your US vendors can help you meet access, rectification, erasure and portability requests within UK timelines, and that deletion workflows match your retention policy. If your team needs a refresher, build a simple playbook covering intake, verification, response templates and evidence of completion, aligned with your SAR deadlines and your approach to deletion.

Vendor Management And Audits

Set calendar reminders to re-verify certification status for key US suppliers. Include obligations in your Data Processing Agreement requiring prompt notice of any change to DPF participation and cooperation if you need to switch to SCCs.

Common Questions From SMEs

Is The Data Bridge Mandatory?

No. It’s optional. You can continue using SCCs plus a transfer risk assessment if that’s already embedded in your contracts or preferred by your customers. Some businesses stick with SCCs for consistency across all non-adequate countries.

What If My US Vendor Is Not Certified?

Then the bridge won’t apply. Use SCCs, complete a transfer risk assessment and consider technical measures like encryption or pseudonymisation. If certification is “in progress,” don’t rely on it until it’s live and listed.

Do I Need To Tell Customers?

Yes - transparency is a UK GDPR requirement. Update your privacy information to state that you rely on the UK-US Data Bridge for transfers to certified US recipients. If your website collects data, review your cookie consent and disclosure too.

Does This Cover All My US Tools Automatically?

No. It works on a recipient-by-recipient basis. Some tools may be certified and in scope; others may not be eligible. You need to check each vendor, including sub‑processors used by your main suppliers.

What Should Go In My Contracts?

For processors, ensure your Data Processing Agreement names the transfer safeguard (the UK-US Data Bridge) and obliges the vendor to maintain certification and assist with UK GDPR rights. For controller-to-controller sharing, set responsibilities clearly in a Data Sharing Agreement, including transparency and security commitments.

Do I Still Need To Assess Security?

Yes. Adequacy relates to the legal framework - it doesn’t certify a particular vendor’s security. Do your usual vendor due diligence, and if you use cloud services for files or backups, sanity-check configurations using the same lens you’d apply to cloud storage compliance.

Key Takeaways

The UK-US Data Bridge is an adequacy pathway that lets UK businesses transfer personal data to certified US organisations without SCCs.
You can only rely on it if the US recipient is on the DPF list and has opted into the UK Extension - check scope and keep evidence.
It simplifies international transfers, but you still need strong contracts, including a Data Processing Agreement or a Data Sharing Agreement, and you must maintain UK GDPR compliance.
Update your privacy notice, cookie consent and internal playbooks so you can honour access requests and apply deletion consistently.
Build a back-up plan in case a vendor’s certification lapses - be ready to switch to SCCs and review your vendor list regularly.
If you’re unsure which mechanism fits a particular tool or dataset, getting tailored advice will save time and reduce risk.

If you’d like help assessing your US vendors, updating your Privacy Policy or putting the right agreements in place, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.

Alex Solo

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Joint Data Controllers Under UK GDPR: What Businesses Need to Know Buying a Restaurant in the UK: Legal Checklist for Owners GDPR Disclaimers: What UK Businesses Must Include and Where to Use Them What Is A Contractor In The UK? Business Hiring Guide Crowdfunding Pros And Cons: UK Legal Risks And Compliance For Startups Agency Contracts In The UK: Key Terms To Include And Risks To Avoid

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call