UK IDTA Explained: How to Use the International Data Transfer Agreement under UK GDPR

TL;DR:

The UK introduced the International Data Transfer Agreement (IDTA) in March 2022 to replace the EU’s Standard Contractual Clauses (SCCs) after Brexit. It gives UK organizations their own legally valid mechanism for transferring personal data to countries without UK adequacy status under Article 46 of the UK GDPR and clarifies IDTA data protection expectations for exporters and importers.
Post-Brexit, UK businesses could no longer rely on EU SCCs alone for lawful data exports. The IDTA closes that gap, ensuring UK-to-non-adequate country transfers remain compliant and secure, with mandatory Transfer Risk Assessments (TRAs) to address foreign law conflicts.
The IDTA sits alongside other UK transfer mechanisms, such as adequacy decisions, Binding Corporate Rules, and the EU SCCs with UK Addendum. It’s the simplest standalone option for UK-only data flows, while organizations with both UK and EU operations often prefer the SCC + Addendum combination.

What Is the UK IDTA?

The UK IDTA (International Data Transfer Agreement) is a standardized contract issued by the UK Information Commissioner’s Office (ICO) under UK law to enable lawful transfers of personal data from the UK to countries without an adequacy finding.

In other words, when your organization transfers UK data to a non-adequate third country, the IDTA acts as a set of binding data protection clauses (like the old EU SCCs) to meet Article 46 UK GDPR requirements. It was promulgated under the Data Protection Act 2018 (Section 119A) in 2022, with final approval by Parliament on 21 March 2022. At that point, the IDTA (and a separate UK Addendum to the EU SCCs) officially came into force.

The IDTA is sometimes described as the UK’s version of the EU’s new SCCs. It covers the same ground, binding exporter/importer obligations on security, data subject rights, breach notification, etc., but in a single unified template. By contrast, the new EU SCCs use separate “modules” for different party roles and types of transfer. The IDTA’s text is filled out in a “fill-in-the-blank” format: parties list the types of data, purposes, security measures, and roles of exporter and importer in the tables and annexes. It is expressly designed to provide “appropriate safeguards” under UK law for restricted transfers, taking into account the Schrems II requirements.

Because it was needed after Brexit, the IDTA works alongside the UK Addendum. Exporters have a choice: for UK-originating data, you can either use the standalone UK IDTA or use the EU SCCs (2021 version) plus the ICO’s UK Addendum. The UK Addendum simply attaches to and modifies the EU SCCs so they work under UK GDPR. Both options (IDTA or SCC+Addendum) satisfy Article 46 for non-adequate transfers. Many organizations with data in both the UK and the EU find it simpler to adopt the EU SCCs + UK Addendum universally, but UK-only flows can rely on the single IDTA document.

When Do You Need to Use the IDTA?

You need the IDTA whenever you make a restricted transfer of UK personal data to a country or territory that is not covered by a UK adequacy decision. For any UK-origin data sent to non-adequate countries, you should either complete the UK IDTA or apply the EU SCCs with the UK Addendum.

For example, a UK company storing staff records on a US cloud server definitely needs a safeguard; that can be the IDTA if no adequacy applies. Sending data to Canada or the EU, which have adequacy status, does not require the IDTA. If you only make transfers within the same corporate group in the UK, it’s not a restricted transfer at all. Thus, if you pick the IDTA, the contract must meet UK IDTA requirements and demonstrate the IDTA data protection measures you rely on

IDTA vs EU SCCs with UK Addendum

The IDTA and the EU SCCs+UK Addendum serve the same purpose, but have some key differences:

Format/Modularity: The IDTA uses one template for all transfers (controller-to-controller, controller-to-processor, etc.). There are no separate modules. You simply identify the roles of exporter/importer in the IDTA’s tables. By contrast, the new EU SCCs have multiple modules (e.g., Module 1 for controller-to-controller, Module 2 for controller-to-processor, and so on). This means the IDTA can be used “as is” in any scenario without picking modules.
Article 28 (Processor) obligations: The IDTA does not itself meet Article 28 (the UK data protection requirement for controller-processor contracts). If you use the IDTA and the importer is a processor, you must have a separate processing agreement that includes all Article 28 clauses (the IDTA calls this a “linked agreement”). You attach or incorporate a DPA to cover those obligations. The EU SCCs, by contrast, include optional processing clauses in their modules, so a standalone DPA is not always needed when using SCCs.
Dispute resolution: The IDTA introduces an optional arbitration scheme. Parties (or even individual data subjects) can choose to resolve disputes under an IDTA arbitration framework based on LCIA rules. (Notably, the ICO removed itself from the list of possible arbiters – arbitration is only between the parties or data subjects now.) The EU SCCs do not have a formal arbitration option; enforcement is normally through court systems or regulatory action. In all cases, individuals always keep the right to bring claims under UK GDPR.
Scope of use: The IDTA is only suitable for transfers originating in the UK. It cannot be used to meet EU GDPR obligations. The EU SCCs + UK Addendum can be used for transfers of EU or UK data, which makes them a natural choice for mixed UK/EU businesses.

We can say that IDTA is great for UK-only transfers (one document, one set of clauses), while EU SCCs + UK Addendum might be better for multinational operations covering both UK and EU. Both meet the UK GDPR Article 46 requirement.

Key Obligations Under the IDTA

The IDTA imposes several important obligations on both the data exporter (usually the UK entity) and the data importer (in the third country). The following are the UK IDTA requirements:

Specified Data and Purpose: The agreement’s Annex I requires listing exactly what personal data is being transferred, the categories of data subjects, and the purpose of processing. The parties must stick to those limits. You can only process for the stated purpose and data categories.
Security Measures: Both exporter and importer must implement technical and organizational security safeguards in line with UK GDPR standards. The contract assumes measures (often listed in Annex II) like encryption, access controls, etc., to keep the data safe.
Data Subject Rights: The importer must uphold UK GDPR-style rights for individuals. In practice, that means honoring rights like access, correction, and erasure on behalf of the exporter. Each party must ensure the other can facilitate data subject requests. (LegalVision explains that the IDTA ensures data subjects “can access, correct, or delete their data” after transfer.)
Breach Notification: If a personal data breach affects the transferred data, the contract requires prompt notification. Specifically, any incident that “results in risk to rights and freedoms” must be reported through the chain (often importer to exporter, and then to regulators/data subjects as needed).
Transparency to Data Subjects: If the importer is acting as a separate controller, it must make certain information available to UK data subjects. For example, it should inform them of its identity, processing purposes, and any recipients of the data. (If direct notice is too burdensome, a public notice is allowed instead.) This ensures individuals know their data went to another country.
Local Laws Disclosure: The importer is obligated to inform the exporter about relevant foreign laws and practices affecting the cross-border data transfer. In the final IDTA text, the importer must provide “relevant information” about local data laws, risks, and protections, though it no longer has to guarantee completeness. This flows into the Transfer Risk Assessment (Step 4 below): essentially, the importer flags any legal constraints or government access that might undermine the transfer.
Bilateral Cooperation: Both parties agree to cooperate with UK supervisory authorities (ICO). They should give mutual assistance for audits or investigations.
Termination Clause: Notably, the IDTA allows either party to terminate the agreement under certain conditions. Suppose changes in law or circumstances cause a “substantial, disproportionate and demonstrable increase” in cost or risk of complying with the IDTA. In that case, the party may end the agreement after trying to mitigate those issues. This gives some relief if, say, new local laws make compliance exceedingly difficult.

Transition Timeline & Legacy Contracts

When the IDTA was introduced, the ICO also set transitional rules for older contracts. In brief:

Old SCC Grace Period: Any international data transfer contracts using the old EU Standard Contractual Clauses (Directive-era SCCs) that were signed on or before 21 September 2022 can continue to be used under UK GDPR until 21 March 2024. This gives organizations time to migrate. From 22 September 2022 onward, new contracts had to use the IDTA or the new SCCs + UK Addendum; you cannot sign brand-new deals on the old SCCs after that date.
Migration Deadline: By 21 March 2024, all those legacy contracts must be replaced. At that point, they must be updated to use either the UK IDTA or the (new) EU SCCs with the UK Addendum. If you miss this, you’d be transferring data without appropriate safeguards under UK law.
Approach for Existing Contracts: If you still have an old SCC contract (without the addendum) that falls under the transition, plan now to update it. We recommend proactively contacting the foreign party to negotiate the insertion of the IDTA or Addendum terms. Remember that the IDTA can often simply be used “as is” (with annexes filled) to replace an old SCC.
New Contracts: Any transfer agreement signed after the transition cutoff (post-Sep 2022) should directly use the IDTA or EU SCC+Addendum. Do not rely on the old clauses going forward.

How to Implement the IDTA in Practice

Follow these practical steps to roll out the IDTA for your transfers:

Step 1: Map cross-border data flow

First, inventory what personal data flows from the UK to other countries (and to whom). Identify data types, categories (employees, customers, etc.), and the transfer destinations. Understanding these flows is the foundation of any compliant transfer strategy.

Step 2: Choose the right transfer tool (IDTA vs SCC+Addendum)

Based on your map, decide if the IDTA is appropriate or if you should use EU SCCs + Addendum. Use the IDTA when the transfer is from the UK to a non-adequate country and not mixed with EU personal data. Use EU SCCs + Addendum if the same contract needs to cover both UK and EU-origin transfers (common in multinational contracts). Of course, if the destination has UK adequacy (e.g., UK to UK/EU-data-transfer or an adequacy country), special contracts aren’t needed. Otherwise, plan to use the IDTA.

Step 3: Complete the IDTA contract

The IDTA is a fillable template (Word/PDF). Follow these steps:

Table 1 (Parties): Enter the exporter’s and importer’s names, addresses, and contact info in the agreement header.
Table 2 (Transfer Details): Here, you specify the transfer. Tick the roles: indicate whether the importer is acting as a controller or a processor of the transferred data, and identify the relationship between parties (controller–controller, controller–processor, etc.). List the data categories (Annex I) and security measures (Annex II).
Annex I (Description of the transfer): Describe the personal data fields, categories of data subjects, and processing purposes.
Annex II (Technical and organizational measures): Detail your security safeguards (e.g., encryption, access control) or reference existing measures.
Linked Agreement: If the importer is a processor, ensure you have an Article 28-compliant processing agreement in place (the “linked agreement” the IDTA requires).
Signatures: Both exporter and importer must sign and date the IDTA.

Step 4: Conduct a Transfer Risk Assessment (TRA)

Before finalizing, do a TRA: evaluate whether the importing country’s laws could undermine the IDTA’s protections. The ICO guidance explicitly calls for this as part of using any Article 46 tool. Check for local surveillance laws, restrictions, or enforcement issues. If conflicts exist, document them and consider additional measures (like encryption, anonymization, etc.) to mitigate the risk. Only proceed if you’re confident the IDTA (with any extra safeguards) will keep data protections “essentially equivalent” to UK GDPR.

Step 5: Ongoing monitoring and review

Once implemented, don’t “set and forget.” Regularly review your international transfers. If the UK or destination country law changes (e.g., a new adequacy decision, a change in government access rules), re-evaluate your approach. The IDTA itself anticipates updates: clauses allow parties to revise security arrangements or even replace the IDTA if needed. Keep copies of signed agreements and annexes, and update them if, say, your processing purpose changes. Annual audits or checks are good practice.

Examples & Use Cases

UK → US transfers: A UK company storing customer data on a US cloud server should use the IDTA (since the US isn’t adequacy-covered under UK law). If the same contract also involves EU data (e.g., sending EU customer data to the same US service), many choose to use the EU SCCs + UK Addendum to cover both. But if only UK data is involved, the IDTA suffices by itself.
UK → Other non-adequate countries: Transfers to countries like India, China, Brazil, etc., all require the IDTA (assuming no adequacy). For instance, outsourcing UK payroll processing to an Indian vendor would normally use the IDTA along with a separate DPA if it’s a processor relationship.
Group operations (UK & EU): A multinational group with offices in both the UK and EU might use the EU SCCs with the UK Addendum in its global data transfer agreements. This way, one set of clauses (the EU SCC modules + UK Addendum) can cover all branches. They might still use IDTA for purely UK-internal agreements, but for any contract touching both EU and UK personal data, the Addendum approach often simplifies things.
UK → Adequate transfers: If you’re sending data to an adequate country (e.g., to Switzerland, Japan (commercial data only), or the EU/EEA), then neither the IDTA nor SCCs are needed – you can transfer freely. But if your processes also transfer to non-adequate locations as part of a larger chain, you’d still need the IDTA for that leg.
UK → Internal group transfers: If your UK entity sends data to an overseas affiliate that is a branch (not a separate legal entity), that’s not considered a restricted transfer. No IDTA needed in that case (it’s an intragroup transfer).

These scenarios highlight that the choice of tool depends on who’s transferring data and where. The IDTA is particularly useful for UK-to-US or UK-to-East-Asia data flows, while the SCC+Addendum combo may be preferable when EU data are also in play.

Risks and Pitfalls to Watch Out For

While the IDTA offers a clear path to compliance, there are common traps to avoid:

Skipping the TRA: One major pitfall is treating the IDTA as a formality and forgetting the Transfer Risk Assessment. UK regulators expect a robust TRA for each transfer to uncover conflicts (like foreign surveillance laws). Skimping on this can leave you blind to a problem that later invalidates your safeguard.
Missing the deadline: Don’t overlook the transition timeline. If you still rely on old SCCs past 21 March 2024, your transfers will violate UK GDPR. Plan your contract updates now rather than later.
Confusing roles: Be careful to correctly identify each party’s role in Table 2. Mislabeling a processor as a controller (or vice versa) could lead to improper handling. Also, remember: if you mark the importer as a processor, you must have that separate DPA attached. Forgetting the “linked agreement” is a common error.
Incomplete annexes: A half-filled Annex I or II might invalidate the IDTA’s protections. Make sure you fully describe the data categories and security measures as realistically implemented. Generic or blank entries defeat the point of the template.
Overlooking adequacy: Don’t use the IDTA when you don’t need to. For transfers to adequacy countries (like Canada or the USA under the Data Privacy Framework), normal data security measures suffice. Using IDTA where it is not needed can complicate things.
Failure to enforce: Remember, the IDTA is only as good as your enforcement. Make sure that the importer truly follows UK standards. If your contract’s counterparty is unwilling to comply (for example, they refuse to provide TRA info or breach notification), re-evaluate the transfer or find a different partner.
Assuming it’s permanent: The IDTA is an ICO template and might be updated over time. Don’t assume the version you sign remains valid forever without review. Clause updates and new versions may be issued.

By staying aware of these issues (and using the GDPR Compliance Checklist for transfer projects), you can avoid common compliance gaps.

Why Use IDTA with DPO Consulting’s Support

Implementing international transfer safeguards can be complex, which is why many organizations enlist expert help. Our International DPO Services team specializes in exactly this. We bring in-depth knowledge of UK GDPR vs EU GDPR, PDPA compliance, and other global privacy laws to support your transfers. Here’s how we can help:

Expert selection of tools: We help you choose between the IDTA, SCC + UK Addendum, or other tools based on your data flows and jurisdiction.
TRA support and safeguards: We guide your Transfer Risk Assessments, identifying conflicts with local laws and suggesting extra safeguards like encryption or pseudonymization.
Contract drafting & review: We handle the legal detail, completing IDTAs, linked Article 28 agreements, and negotiating terms with importers..
Compliance audits: We spot outdated SCCs, update them, and ensure migration to IDTA or SCC + Addendum before deadlines.
Ongoing monitoring: Our experts track evolving laws (like adequacy decisions or changes abroad) so your transfers remain compliant.

Working with our DPO experts means you’ll have confidence that your international transfers are legally sound and well-documented. Get in touch to leverage our International DPO Services and make sure your global data flows stay compliant with UK GDPR and beyond.

FAQ

What is a “restricted transfer” under UK GDPR?

A “restricted transfer” is basically any transfer of UK-regulated personal data to a foreign destination that triggers UK GDPR Article 46 rules. In practical terms, it means sending personal data outside the UK (or making it accessible to a separate entity outside the UK) when the recipient is a distinct controller or processor.

Can we still use EU SCCs after Brexit?

Yes and no. Post-Brexit, you cannot rely on EU SCCs alone for UK data transfers. Instead, you must either add the ICO’s UK Addendum to the new EU SCCs or use the UK IDTA. The old pre-2010 SCCs can only be used under the transitional rules (contracts by 21 Sept 2022 running until 21 Mar 2024). For new transfers, the choice is: (a) UK IDTA, or (b) EU SCCs (2021 version) with the UK Addendum. If your transfers involve EU personal data as well, many organizations stick with option (b) for simplicity. But purely UK transfers can use the IDTA.

Do we need a TRA with every IDTA?

Yes. The whole point of Article 46 safeguards is that you must verify they actually protect data under local law. UK guidance makes it clear that a Transfer Risk Assessment (TRA) is expected whenever using the IDTA (or any contractual clauses).

What happens if a destination country’s laws conflict with UK GDPR?

If you discover a conflict (for example, foreign surveillance laws that could force disclosure of the data), the IDTA has built-in measures. First, the importer must inform you of such laws as part of the TRA process. Your TRA should identify any “legal limitations” on the importer’s ability to meet the IDTA terms. If the IDTA can no longer deliver appropriate safeguards due to local law, you must pause or stop the transfer. The importer is still required to keep any existing security measures, but effectively, the transfer can’t proceed lawfully under UK GDPR. In practice, this means you either put extra technical measures (like encryption that even the local government can’t break) or cease the transfer if that fails. The IDTA also allows termination in such “substantial risk” cases. Always consult legal counsel if a serious conflict arises.

When do we need to migrate old SCC contracts?

Any contract on the old (Directive-era) SCCs that was signed on or before 21 September 2022 could stay in effect until 21 March 2024. After that, it no longer qualifies as a legal safeguard under UK GDPR. So yes, by 21 March 2024, you must replace or amend those legacy contracts.

DPO Consulting: Your Partner in AI and GDPR Compliance

Investing in GDPR compliance efforts can weigh heavily on large corporations as well as smaller to medium-sized enterprises (SMEs). Turning to an external resource or support can relieve the burden of an internal audit on businesses across the board and alleviate the strain on company finances, technological capabilities, and expertise.

External auditors and expert partners like DPO Consulting are well-positioned to help organizations effectively tackle the complex nature of GDPR audits. These trained professionals act as an extension of your team, helping to streamline audit processes, identify areas of improvement, implement necessary changes, and secure compliance with GDPR.

Entrusting the right partner provides the advantage of impartiality and adherence to industry standards and unlocks a wealth of resources such as industry-specific insights, resulting in unbiased assessments and compliance success. Working with DPO Consulting translates to valuable time saved and takes away the burden from in-house staff, while considerably reducing company costs.