International Data Transfers Under UK GDPR: A Plain-English Guide
International data transfers under UK GDPR can happen whenever personal data is stored, accessed or processed outside the UK — including through cloud software, overseas support teams or group companies. This guide explains the key rules in plain English, covering adequacy decisions, IDTAs, the UK Addendum to EU SCCs, the UK-US Data Bridge and the practical checks organisations should complete before transferring personal data abroad.
E
Eleanor Whitcombe
Jul 13, 2026
9 min read
International data transfers under UK GDPR shown through cloud data flows and compliance documents

International data transfers UK GDPR rules apply the moment personal data leaves the UK — whether that's data stored on an overseas server, accessed by a support team abroad, or processed by a cloud provider based outside the country. For DPOs, IT managers, and business owners working with overseas suppliers, understanding these rules is essential, because getting them wrong can mean processing that's unlawful from the outset.

This guide sets out, in plain English, how UK GDPR data transfer rules work — including adequacy decisions, the IDTA, and the practical steps organisations need to take before sending personal data outside the UK.

Why International Data Transfer Rules Exist

UK GDPR restricts transfers of personal data outside the UK for a simple reason: once data leaves the UK, it's no longer automatically protected by UK data protection law. Other countries may have weaker legal protections, different enforcement mechanisms, or laws that give government authorities broader access to personal data than UK law would allow.

International transfer rules exist to ensure that personal data continues to receive an equivalent standard of protection after it leaves the UK, regardless of where it ends up. This is achieved either through a formal recognition that a destination country's laws are adequate, or through specific contractual safeguards that impose UK GDPR-equivalent obligations on the receiving party.

What Counts as a Restricted Transfer?

Not every instance of data crossing a border is automatically a "restricted transfer" in the legal sense, but many common business scenarios are. A restricted transfer typically occurs when:

  • Personal data is sent to, or accessed by, an organisation or individual located outside the UK
  • The recipient is subject to processing instructions from a UK-based controller or processor
  • No exception applies (such as very specific, limited derogations set out in UK GDPR)

Common examples include:

  • Using a cloud storage or SaaS provider with servers or support staff based overseas
  • Sharing HR or customer data with an overseas parent company or group entity
  • Engaging an offshore outsourcing provider (such as a customer service or payroll processor) based outside the UK
  • Remote access to UK-held data by staff or contractors working from outside the UK

If any of these apply to your organisation, you need a valid transfer mechanism in place before the transfer happens — not as an afterthought once the arrangement is already live.

UK Adequacy Decisions Explained

The most straightforward transfer mechanism is an adequacy decision. Where the UK government has formally recognised that a country, territory, or organisation provides an adequate level of data protection, personal data can generally be transferred there without needing additional safeguards.

The UK has its own adequacy regulations, separate from the EU's. Following Brexit, the UK initially carried over the EU's adequacy decisions as they stood at the time, and has since continued to review and, in some cases, extend its own adequacy findings independently of the EU.

Because the list of countries covered by UK adequacy regulations can change, and the UK and EU frameworks don't always align exactly, organisations should check the current position directly via the ICO's international transfers guidance and the UK government's data protection legislation pages, rather than relying on outdated lists. Assuming a country is covered simply because it once appeared on an EU adequacy list is a common and risky mistake.

The International Data Transfer Agreement (IDTA)

Where a destination country isn't covered by an adequacy decision, organisations need an alternative transfer mechanism — most commonly, a contractual safeguard. The International Data Transfer Agreement (IDTA) is the UK's own standard contract for this purpose.

Key points about the IDTA:

  • It's the UK's equivalent of the EU's Standard Contractual Clauses (SCCs), designed specifically to work under UK GDPR and the Data Protection Act 2018
  • It sets out binding obligations on the data importer to protect personal data to a standard equivalent to UK GDPR
  • It must be entered into by both parties — the UK-based exporter and the overseas importer — before the restricted transfer takes place
  • It works alongside, not instead of, a transfer risk assessment (covered below)

The IDTA is now the primary transfer mechanism most UK organisations use for transfers to countries without adequacy status, replacing reliance on the old EU SCCs for UK-only transfers.

Understanding when and how to put an IDTA in place is a core skill for anyone managing data protection compliance. Our GDPR Training for Data Protection Officers course covers the IDTA and other transfer mechanisms in practical, applied detail.

The UK Addendum to EU Standard Contractual Clauses

Many UK organisations work with suppliers or group companies that also need to comply with EU GDPR, particularly where a transfer involves both UK and EU data subjects. In these cases, using two entirely separate agreements — the IDTA for UK data and the EU SCCs for EU data — can be unnecessarily complex.

To address this, the UK offers an alternative: the UK Addendum to the EU SCCs. This allows organisations to use the EU's Standard Contractual Clauses as the base agreement, with a UK-specific addendum attached that adapts the clauses to meet UK GDPR requirements.

This approach is often more practical for organisations that:

  • Are part of an international group already using EU SCCs for other transfers
  • Work with suppliers who are more familiar with, or already using, EU SCC templates
  • Want a single contractual framework covering both UK and EU data flows, with the addendum bridging the gap

Whether an organisation uses a standalone IDTA or the UK Addendum to EU SCCs, the underlying goal is the same: ensuring the data importer is contractually bound to protect personal data to a standard equivalent to UK GDPR.

Using US Cloud Providers and the Data Privacy Framework

Given how widely US-based cloud and SaaS providers are used by UK organisations, this is one of the most practically important areas of international transfer compliance.

The UK-US Data Bridge, which extends the EU-US Data Privacy Framework (DPF) to the UK, allows transfers of personal data to US organisations that have self-certified under the framework, without needing a separate IDTA or SCCs.

Practical points for UK organisations using US providers:

  • Not all US companies are certified under the Data Privacy Framework — certification is organisation-specific, and coverage should be checked, not assumed
  • Even where a provider is certified, the certification needs to specifically cover the UK extension (the UK-US Data Bridge), not just the EU-US framework
  • Where a US supplier isn't certified under the framework, an IDTA or UK Addendum to EU SCCs will typically be needed instead
  • The Data Privacy Framework's status has shifted before and could do so again, so organisations relying on it should monitor ICO and government updates rather than treating it as a permanent fixture

Given how central US cloud and SaaS tools are to most modern businesses, checking transfer mechanisms for every overseas supplier — not just assuming a well-known provider is automatically compliant — is essential due diligence.

Transfer Risk Assessments

Having a signed IDTA or SCC addendum in place isn't the end of the compliance obligation. UK GDPR also expects organisations to carry out a Transfer Risk Assessment (TRA) before relying on these mechanisms, to genuinely assess whether the data will be adequately protected in practice.

A TRA typically considers:

  • The nature of the personal data being transferred, and the potential impact if it were accessed inappropriately
  • The laws and practices of the destination country, particularly around government or law enforcement access to data
  • The safeguards the importer has in place, both contractual and technical (such as encryption)
  • Whether the transfer mechanism chosen genuinely provides an equivalent level of protection given the specific circumstances

TRAs should be documented, retained, and reviewed periodically — particularly if circumstances change, such as a shift in the destination country's laws or a change in supplier practices. This documentation is also important evidence of accountability if the ICO ever queries an organisation's transfer arrangements.

Carrying out meaningful transfer risk assessments — rather than treating them as a paperwork formality — is a skill that benefits from structured training. Our Data Protection Officer training course covers how to conduct and document TRAs as part of a wider transfer compliance programme.

Practical Steps for UK Organisations

Bringing this together, UK organisations handling international transfers should:

  1. Map your data flows — identify every instance where personal data is sent to, or accessed from, outside the UK, including cloud providers, group companies, and outsourced services
  2. Check adequacy status — confirm whether the destination country is covered by current UK adequacy regulations
  3. Put the right mechanism in place — an IDTA, UK Addendum to EU SCCs, or confirmed Data Privacy Framework certification, depending on the destination and supplier
  4. Carry out a Transfer Risk Assessment — document the reasoning behind why the chosen mechanism provides adequate protection
  5. Record transfers in your RoPA — your Record of Processing Activities should reflect international transfers, including the transfer mechanism relied upon
  6. Review supplier contracts regularly — particularly for cloud and SaaS providers, where terms and certifications can change without an organisation noticing

This is an area where IT and data protection responsibilities overlap significantly, since supplier selection, cloud architecture, and contractual terms all affect transfer compliance. Our IT compliance guide covers this overlap in more detail, and for a broader understanding of how transfer compliance fits within the DPO's overall remit, see our DPO role explained article.

FAQs

What counts as an international data transfer under UK GDPR?
It's any transfer of personal data to a recipient located outside the UK, including cloud storage, group companies, outsourced suppliers, or remote staff accessing UK-held data from abroad. If no exception applies, a valid transfer mechanism must be in place before the transfer happens.

Does the UK have its own adequacy decisions?
Yes. Following Brexit, the UK maintains its own adequacy regulations, separate from the EU's, though they initially mirrored the EU's decisions at the time. Organisations should check current UK adequacy status directly rather than assuming EU adequacy automatically applies.

What is the IDTA?
The International Data Transfer Agreement is the UK's own standard contractual mechanism for transferring personal data to countries without adequacy status. It sets out binding obligations on the overseas recipient to protect the data to a standard equivalent to UK GDPR.

Can I use US-based cloud software under UK GDPR?
Potentially, yes — if the provider is certified under the UK-US Data Bridge extension to the Data Privacy Framework, transfers can take place without a separate IDTA. If the provider isn't certified, an IDTA or UK Addendum to EU SCCs will generally be needed instead.

Do I need a transfer risk assessment for every overseas supplier?
Generally, yes, wherever you're relying on a mechanism like the IDTA or UK Addendum to EU SCCs rather than an adequacy decision. A TRA helps confirm the chosen mechanism genuinely provides adequate protection given the specific destination country and supplier.

Deepen your organisation's compliance knowledge — explore our GDPR Training for Data Protection Officers course and build the practical skills to manage international transfers with confidence.

Start your learning journey with KitLearn

Discover courses designed to help you grow faster, learn smarter, and achieve more.