On September 21, DSIT published the Data Protection (Adequacy) (United States of America) Regulations 2023 for the UK Extension to the EU-US Data Privacy Framework. Starting from October 12, the UK government’s adequacy regulation will allow organizations in the UK to share data with organizations in the US.
The adequacy regulations, which establish a UK-US Data Bridge, apply to businesses in the US that are certified under the UK Extension to the DPF, as the certification ensures that their data processes match UK data protection standards.
How did this come into effect?
In support of the UK-US Data Bridge, the US Attorney General designated the UK as a qualifying state under Executive Order 14086. This was seen as the precursor for an adequacy decision to then be taken from the UK’s side.
In addition to this decision by the US, the Department of Science and Information Technology (DSIT) in the UK conducted an assessment to determine that the laws and practices in the US met the standards in place necessary to adequacy decision, bringing the process to a close.
Which organizations are affected?
As mentioned above, data transfers under the DPF are only valid if the data is transferred from the UK to a certified organization in the US.
However, there are certain sectors in the US that do not qualify for the DPF Program at this time. As the DPF is enforced by the Federal Trade Commission or the Department of Transportation, any industry that is not under the jurisdiction of either of these authoritative bodies is currently not a part of the DPF Program — e.g., telecommunications, banking, or insurance.
What types of data does this Data Bridge apply to?
Sensitive data
Businesses in the UK are allowed to transfer sensitive, or special category data to their counterparts in the US, as long as it is properly identified.
US organizations need to be made aware when sensitive data is included in a transfer so that the right protective measures are applied as required by the DPF. Some examples of this data include (but are not limited to) the following:
- Genetic data
- Biometric data (with the purpose of identifying someone)
- Sexual orientation data
Criminal data
When a business in the US receives data regarding an individual's criminal record, especially as part of an HR transfer, they must specify that this data is transferred under the DPF guidelines.
In case this data is shared in a context unrelated to HR, the procedure for transfers would then follow the same as that of sensitive or special category data, as described above.
Exceptions
Every rule comes with an exception, and data transfers under the DPF are no different. In this case, journalistic data cannot be shared under the DPF.
What is journalistic data? It refers to any personal data collected for the purpose of journalism in any form (print, broadcast, or other). Whether the data is actually used or not is secondary, the purpose of collection is the main identifier in this case.
How can you verify you’re sending data to certified organizations?
The primary stipulation of the UK-US Data Bridge is that personal data can only be transferred from UK to US businesses as long as the US business is certified under the UK Extension to the DPF. To find out if the US business is certified:
- Use the DPF list to see if the organization is a part of the DPF
- Take a look at the company’s profile to see if they have the UK extension in place
- If HR data is involved, make sure that HR data is also a part of their DPF
- Review their privacy policies, specifically around the data you’re looking to transfer
How can OneTrust help?
When it comes to international data transfers, it can be a challenge for your organization to keep up with all of the regulations involved. OneTrust ensures you’re on top of all things regulatory compliance, especially when it comes to personal data.
In light of the UK Extension to the DPF, our team of privacy experts and legal analysts have developed a set of best practices for organizations to follow when going about these data transfers, helping organizations across industries to have a tailored approach for different use cases.
With preset assessment templates for varying levels of risk and conducting privacy impact assessments (PIA/DPIA), you can take the guesswork out of what steps to take when going about complex international data transfers.
To learn more about how OneTrust can help your organization navigate UK to US personal data transfers, request a demo today.