Understanding the International Data Transfer Agreement: A Guide for UK Businesses

Moving data across borders is now a daily part of business – whether you’re working with overseas suppliers, using cloud services hosted outside the UK, or expanding to new markets. But while international relationships bring opportunity, they also raise a vital question: how do you keep personal data protected when it’s sent to places with different privacy laws?

That’s where the UK’s International Data Transfer Agreement (IDTA) comes in. The IDTA is a legal contract that helps businesses lawfully transfer personal data outside the UK, ensuring the data is protected just as robustly as it would be at home. If you run a UK business and deal with customers, staff, or partners abroad, understanding – and correctly using – the IDTA is now a core compliance step you can’t afford to ignore.

In this guide, we’ll break down what an International Data Transfer Agreement is, when you need it, how it compares with the EU’s rules, and what you actually need to do to get your compliance right from the start.

What Is The International Data Transfer Agreement (IDTA)?

The International Data Transfer Agreement – or IDTA for short – is the UK’s own framework for protecting personal data when you send it to countries that are not granted an “adequacy decision.” Basically, if personal data is leaving the UK for a country that isn’t officially recognised as offering equal protection, you’ll need the IDTA in your toolkit.

The IDTA is designed to ensure that, even if data travels to a place where privacy law is more relaxed, the individual’s rights are still respected to UK standards. It’s a contract between the organisation sending the data (the exporter, which may be your business) and the organisation receiving the data (the importer, which could be an overseas service provider, partner, or group company).

Why Was The IDTA Introduced?

Let’s step back for a second. If you remember pre-Brexit data law, UK businesses used the EU’s Standard Contractual Clauses (SCCs) when sending data abroad. But after leaving the EU, the UK needed a specifically tailored solution – one that matches UK law and is flexible for our trading relationships.

On 21 March 2022, the IDTA officially came into force, after being laid before the UK Parliament the previous month. This move followed a big shift in the international landscape: the Schrems II judgment from the European Court of Justice. That decision made it clear that any data transfer regime needs to robustly guarantee data subjects’ rights – even if that data is processed in places with less regulation.

Since then, if you’re making new international data transfers (from the UK) to countries without an adequacy decision, you must use either the IDTA or – if you also need to comply with EU rules – a UK Addendum to the new EU SCCs. The old SCCs (pre-2021 versions) are now being phased out for UK transfers.

When Do You Need To Use The IDTA?

The short answer: whenever your business is sending personal data (think names, emails, addresses, client file info, even employee data) outside the UK to a country that doesn’t have a UK government adequacy decision in place.

Here are the most common situations where an IDTA is needed:

• Your cloud service provider is based in the US, India, or Australia
• You outsource HR or payroll services to a supplier in South Africa, or a tech team in Brazil
• You share customer data with an overseas franchisee or subsidiary

In other words, unless the destination country appears on the UK’s list of “adequate” jurisdictions (such as the EEA, some key Asian countries, or others the UK deems secure), you must put the right legal protection in place.

What about ongoing contracts? If your contract involving personal data transfers was signed before 21 September 2022, the old SCCs may still be valid for a short period, but they’ll need updating. For any new or renewed contracts – and all contracts by 21 March 2024 – the IDTA (or the Addendum, if also using EU SCCs) is compulsory.

If you’re not sure whether your arrangements are in scope, take a look at our guide to online business legal requirements or chat to our team for a quick assessment.

What Are ‘Adequacy Decisions’ And Why Do They Matter?

Adequacy decisions are essentially the UK government’s stamp of approval for a country’s data protection regime. If a country is judged to provide “essentially equivalent” legal protection to UK data privacy law, you can send UK personal data there without using extra legal tools like the IDTA.

• Examples of adequate countries: EU/EEA states, Gibraltar, New Zealand, Israel, and others (subject to ongoing revision – always check the latest UK government list!)
• If personal data is heading somewhere not on this list, that’s where the IDTA kicks in.

If you want to understand more about adequacy lists and how to identify international transfer risks, check out our article on data breach response plans.

How Does The IDTA Work?

The International Data Transfer Agreement is a set of standardised clauses – think of it like a contract template, carefully crafted by the UK’s Information Commissioner’s Office (ICO). When two organisations sign up to the IDTA, they each accept binding, enforceable commitments about how personal data will be protected.

Key features of the IDTA include:

• Clear obligations for both data exporters (your business) and data importers (the overseas partner/service provider)
• Detailed requirements for data security, confidentiality, and responding to data subject requests
• Commitments that overseas recipients won’t misuse or over-process data
• Mechanisms for individuals to enforce their data rights, even if their info is stored abroad
• Guidance for dealing with government access requests, legal obligations, and challenges to misuse
• Compatibility with additional privacy documentation such as your organisation’s Privacy Policy and Data Protection Impact Assessments (DPIAs)

The agreement is flexible: businesses are expected to tailor some parts (such as identifying the specific data being sent and the security measures in place), but the core legal protections cannot be diluted.

What’s The Difference Between The IDTA And The EU’s Standard Contractual Clauses?

If you do business in both the UK and the EU, you might be wondering: can I just use the new EU Standard Contractual Clauses (SCCs) for both? The answer is: not quite. Post-Brexit, the UK has its own legal regime, and while it aligns with EU GDPR in many ways, the documents themselves are separate.

Here’s a quick side-by-side overview:

• EU Standard Contractual Clauses: Required for EU-to-non-adequate third country transfers. Adopted by the EU Commission and updated in 2021.
• UK IDTA: Specifically required for UK-to-non-adequate country transfers.
• UK Addendum: If your contracts need to comply with both UK and EU GDPR (common in global businesses), you can use the new EU SCCs + a specific UK Addendum. The Addendum “bolts on” to the EU document to satisfy UK requirements as well.

This means UK businesses with a multinational presence will often need to review and update their contracts on both fronts, ensuring the correct documents are applied for each type of transfer.

For a practical deep dive on drafting internationally enforceable contracts, you may find our guidance on international contracts helpful.

What Are The Core Components Of The IDTA?

So, what actually goes into an International Data Transfer Agreement? The IDTA is thorough, and while much of it is pre-drafted, you must insert business-specific details before use. Here are its main parts:

• Parties and Transfers: Who is sending and receiving data, and what data is being sent?
• Purpose and Duration: Why is the data being transferred, and for how long will it be kept?
• Security Measures: Technical and organisational steps to protect the data (encryption, access controls, regular audits, etc).
• Data Subject Rights: Mechanisms for people to access, correct, or delete their data, wherever it’s stored.
• Accountability and Transparency: Requirements for both parties to be open about how data will be used, including when data is accessed by authorities.
• Legal Remedies and Redress: Clear dispute resolution and compensation mechanisms for affected individuals.

It’s vital to avoid copying documents from online templates – your IDTA must accurately reflect the reality of your transfer, be properly completed, and form part of a binding agreement. If in doubt, get your agreement professionally reviewed.

How Does The IDTA Relate To Other UK Data Privacy Rules?

The IDTA sits alongside your other privacy obligations as a UK business. In particular, pay close attention to:

• UK GDPR and Data Protection Act 2018: Your data collection, storage, and processing must still comply with UK “home” law. The IDTA is about overseas transfers – it doesn’t replace general obligations to lawfully obtain and use data.
• Privacy Policies and Collection Notices: You must be transparent (for example, in your Privacy Policy) about where personal data is being stored and why it’s being exported.
• Data Protection Impact Assessments (DPIA): For high-risk transfers, you may need to conduct and document a DPIA examining the risks of exporting data outside the UK. Learn more in our DPIA guide.
• Regular Reviews and Updating: If your partners, suppliers or group companies change, or the law is updated, review your international data transfer arrangements and refresh your documents accordingly.

It’s important to keep track of your wider legal exposure, so you remain fully protected and compliant as your business grows.

What Should UK Businesses Do Now?

With the IDTA now firmly established in UK law, it’s time for business owners and compliance teams to take stock. Don’t wait for a new contract to trigger your review – proactively auditing your international data flows will save you headaches down the line.

1. Map Your Data Flows: Identify where you send or store personal data outside the UK. List your suppliers, partners or applications which involve transfers to “non-adequate” countries.
2. Check Your Contracts: If transferring data, does your existing agreement have up-to-date transfer clauses? If not, it may be time for an upgrade.
3. Choose The Right Document: For UK-only compliance, use the IDTA. If you need to cover both EU and UK requirements, use the new EU SCCs plus the UK Addendum. If you’re not sure which applies, seek specialist privacy advice.
4. Assess The Risks: For new or complex transfers, carry out a transfer risk assessment – note any local legal threats, surveillance risks, or areas where privacy can’t be assured. The Information Commissioner’s Office (ICO) is releasing further guidance on how to do this in practise.
5. Review Your Policies: Update your Privacy Policy and staff training to ensure everyone understands their obligations with international data flows.

The ICO recommends businesses stay up-to-date with guidance, so keep an eye on their resources for practical updates.

What About Working With US Providers Or Cloud Services?

A common scenario is using a large US tech provider (like a cloud, SaaS, or CRM supplier) to support your UK business. The US does not have a UK adequacy decision, so transfers there must be covered by an IDTA (or Addendum + new EU SCCs if both apply).

It’s important to review these suppliers’ agreements carefully – don’t assume they’ve already updated for UK compliance, especially if they’re based outside Europe. If needed, request their UK/IDTA-compatible contract or ask for a custom agreement. This step is vital to protect yourself from regulatory enforcement or the risk of losing key customer data.

If working with UK start-up technology providers or custom software, you should also make sure your software development agreements cover data transfer and security obligations.

The Role Of The ICO And Ongoing Guidance

The UK’s Information Commissioner’s Office (ICO) has been proactive in helping businesses adjust to the new regime. You can expect ongoing guidance, including:

• Clause-by-clause walkthroughs of the IDTA
• Standard templates and examples
• Advice on carrying out transfer risk assessments

Check the ICO website regularly for new materials, as increased enforcement means non-compliance could result in investigations or even fines.

Can I Use Standard Templates For The IDTA?

As tempting as quick templates may be, don’t just download a generic IDTA and fill it in without thought. Your agreement should reflect your unique business, data types, and risks.

If you need the confidence of a watertight contract – and avoidance of expensive mistakes or disputes – it really is worth getting a custom data protection pack tailored to your circumstances.

Avoid drafting it yourself – remember, it’s binding for both parties and needs to stand up in case of a data breach or regulatory review.

Key Takeaways: How To Stay Compliant With International Data Transfers

• The IDTA is now the standard legal tool for transferring personal data from the UK to countries not recognised as “adequate.”
• It must be used for new contracts (and all contracts by March 2024) involving these “restricted” data transfers.
• Don’t use the new EU SCCs on their own for UK compliance – add the UK Addendum if you need to meet both sets of rules.
• Check – and regularly update – your supply chain, contracts and Privacy Policy to reflect where data is stored or processed.
• You’re responsible for ensuring the IDTA is properly completed, signed, and enforced for each transfer scenario.
• Stay up-to-date with ICO guidance, and consider tailored legal advice to cover complex or high-risk data flows.
• Strong contracts and privacy practices from day one are vital – don’t wait for a problem to expose a compliance gap.

If you want help drafting or updating your International Data Transfer Agreement, or reviewing your business’ overall privacy compliance, you can reach us at team@sprintlaw.co.uk or call 08081347754 for a free, no-obligation chat. We’re here to help UK businesses stay compliant, protected, and confident in their international data strategies.