What do we need to consider if we transfer people’s personal information outside the UK?
-
The Data (Use and Access) Act 2025 got Royal Assent on 19 June 2025. All the provisions affecting data protection law and the Privacy and Electronic Regulations Communications are now in force. The Department for Science and Innovation (DSIT) has set out the commencement plans. You can find more details on the Gov.uk website.
Data protection law contains rules about transferring personal information to receivers located outside the UK. We refer to these as restricted transfers.
You must ensure that one of the following apply:
- the transfer is covered by ‘adequacy regulations’. This means that the country you plan to send the information to has ‘adequate’ protection for people’s personal information;
- there are appropriate safeguards in place. This means that if there are no UK adequacy regulations in place for that country, you must do an assessment to check that relevant UK GDPR protections are not undermined for people whose information is transferred; or
- the transfer is covered by an exception.
Further reading