UK GDPR · Chapter V · Post-Brexit

International data transfers under UK GDPR

Updated April 2026UK GDPR Chapter VICO aligned

After Brexit, the UK operates its own international data transfer regime independently of the EU GDPR framework. Transfer mechanisms that satisfy EU GDPR do not automatically satisfy UK GDPR, and vice versa. Organisations moving data between the UK and EU must navigate both regimes separately, and adequacy decisions that enable free data flow can be suspended.

How to read this guide. This guide explains statutory requirements and regulatory expectations derived from UK GDPR, DPA 2018, and ICO published guidance. It does not determine compliance in any specific case. Where we write “UK GDPR requires” we cite statute. Where we write “the ICO expects” or “the ICO has indicated” we cite regulatory guidance, which is not identical to a statutory obligation. Both matter — but they are different things.

The UK’s own transfer regime

Chapter V of UK GDPR restricts transfers of personal data to countries outside the UK unless appropriate safeguards are in place. The ICO oversees the UK regime. The EU GDPR regime is supervised separately by EU national data protection authorities and the EDPB. They are separate frameworks — a mechanism satisfying one does not automatically satisfy the other.

Source: UK GDPR Chapter V; ICO international transfers guidance

UK adequacy decisions

The UK has issued adequacy decisions for countries considered to provide equivalent protection. The EU and EEA are on the UK’s adequacy list — the European Commission renewed its adequacy decision for the UK in December 2025 (valid to December 2031), permitting EU-to-UK transfers without additional mechanisms. UK organisations transferring data to the EU do not need additional mechanisms under UK GDPR, as the EEA is on the UK adequacy list.

International Data Transfer Agreements (IDTAs)

Where no adequacy decision applies, the primary UK GDPR mechanism is the International Data Transfer Agreement (IDTA) — the UK equivalent of EU SCCs. Organisations that previously relied on EU SCCs for non-adequate country transfers need to replace or supplement them with an IDTA or the UK Addendum to EU SCCs.

US transfers — the Data Bridge

The UK-US Data Bridge permits transfers to US organisations self-certified under the framework. The DPF’s long-term stability was affected by changes in the PCLOB’s quorum in January 2025. Organisations relying on the Data Bridge should maintain contingency mechanisms (IDTAs with TRAs) in case the arrangement is suspended.

Source: UK-US Data Bridge; ICO adequacy guidance; DPF status monitoring recommended

Transfer Risk Assessments

Using an IDTA does not remove the requirement to assess whether the destination country’s laws undermine the protection provided. A Transfer Risk Assessment (TRA) should be conducted before relying on contractual mechanisms for transfers to countries where law enforcement access may undermine the IDTA’s protections. The ICO has published a TRA tool.

Record this. Map every data transfer in your ROPA — destination, mechanism relied upon, and date the mechanism was put in place. Where IDTAs are used, retain the signed agreement and TRA. Adequacy decisions can be suspended and must be monitored.

Not legal advice. This guide is derived from UK GDPR (Data Protection Act 2018 / DUAA 2025) and ICO published guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.