After much deliberation, the UK-US data bridge finally took effect on 12 October. This new framework is expected to speed up processes and increase opportunities for companies that are exporting data-enabled services. Previously, organisations that wanted to do this had to have contract clauses in place to guarantee UK data protection and privacy standards are respected. According to the government’s guidance, the term ‘data bridge’ describes the decision to permit the flow of personal data from one country to another, without the need for additional safeguards, as required by Articles 46 and 49 of the UK General Data Protection Regulation (GDPR).
The Department for Science, Innovation and Technology (DSIT) fact sheet has affirmed that the data bridge is an opt-in certification scheme for US organisations. It consists of a set of principles that take the form of commitments to data protection that each organisation should adopt when using, collecting or disclosing personal data.
Essentially, UK businesses can transfer personal data to US companies without having to conduct transfer impact assessments (TIAs), provided that they are certified under the UK Extension to the EU-US Data Privacy Framework (DPF). Of course, processors or data controllers can rely on other appropriate safeguards binding corporate rules or standard contractual clauses, should they prefer. However, the government has emphasised that UK organisations need to update privacy policies and document their own processing activities as necessary to reflect any changes in how they transfer personal data to the US. Most importantly, the US importer must have self-certified to the DPF and the data bridge, and any personal data that has been transferred must be handled in accordance with the DPF principles upon receipt.
According to the European Commission, UK exporters that rely on the standard contractual clauses (SCCs) to transfer personal data to the US, or other third parties, must be aware that the EU SCCs can no longer be used for new agreements for data transfers from the UK. The EU SCCs must either be appended with the UK addendum to the EU SCCs, or UK data exporters should use the UK International Data Transfer Agreement (IDTA) instead. UK data exporters that have already concluded contracts based on the EU SCCs on or before 21 September, 2022, may continue to rely on the EU SCCs until 21 March, 2024. The Information Commissioners Office (ICO) issued a checklist, titled ‘A guide to international transfers,’ which it encourages companies to use in the interim.
Navigating the data landscape
Moving forwards, organisations will need to be scrupulous with their data management and ensure they have measures in place to comply with the new framework and the evolving data landscape. In the last year, businesses have had to respond to the Electronic Trade Documents Act, Northern Ireland (NI) Protocol data sharing agreement and the Schrems II legislation. In fact, Schrems II required organisations to carry out risk assessments before transferring data from the EU and EEA to countries that were not deemed adequate. Since then, businesses have had to put entirely new processes in place to comply with export jurisdictions.
There is no doubt that enterprises have big digital transformation projects ahead of them. All businesses will have to review their operations to ensure personal data transfers are lawful, compliant and remain vigilant for the road ahead. This new data bridge, whilst it is advisory, sets the tone for the future of business. As per the government’s guidance, organisations should be reviewing current contract clauses and data protocols, if they are not already.
This new framework requires both parties – importer and exporter – to have adept contract management systems and secure data transfer protocols in place. All systems will need to be aligned with teams reviewing end-to-end processes, to ensure all data is accounted for across the entire contract lifecycle. Most importantly, organisations will need to educate themselves on the guiding principles of the framework and make sure that they fully understand the requirements and their chosen exporter has done the same.
Next steps: review data flows and architecture
Data is vital to everyday business. If it is siloed or disconnected between departments, it can lead to considerable revenue and data leakage or potential compliance issues and fines. Now, more than ever, leaders need to get their houses in order and review their internal structures, integrate their systems and ensure that all data is accounted for across the operational cycle. Only then will businesses have more insight into how data flows between teams, systems and partners, and establish the next step in their digital transformation journey. It also puts businesses in a better position to assess their risk before sharing any data with third parties.
Naturally, short-term technology spending is expected to increase. However, organisations need to be careful here, as digital transformation programmes of this size are complex, and they cannot afford to keep redesigning or modelling their data architecture or systems. Instead, businesses need to approach this strategically and in a phased manner – especially when it comes to scaling solutions across their organisation and curtailing any disruption.
If leaders are unsure how to approach this or implement a digital change programme of this complexity, it is best practice to seek expert advice to ensure their business is adhering to the new guidelines. The new data bridge is a turning tide, setting the tone for the future of business. Organisations should expect more legislative changes further down the line. The data landscape is constantly changing. Businesses need to anticipate this to ensure that they are in the best position, with the right systems and digital tools in place, to respond any new regulations as they unfold.
Charlie Bromley-Griffiths is corporate counsel at Conga, a specialist in SaaS for revenue lifecycle management