Why companies need to act now on international data transfers 

With the multiple impacts of Brexit, Covid-19 and the cost of living crisis, life sciences businesses may not have data protection at the forefront of their minds. However, privacy laws are dynamic, and organisations should be considering their practices in relation to personal data, particularly where international transfers are concerned.

Life sciences companies process significant volumes of personal data, in particular, health data. The race to find Covid-19 vaccines highlighted the need for co-operation and collaboration between life sciences companies, and has heightened the public’s awareness of personal data sharing in the sector.

Any clinical trial involves numerous parties with different roles and responsibilities, all of whom need to share data with each other (albeit in pseudonymised form) to reach successful outcomes. Often the recipients of the personal data will be located outside the UK and the EU.

Personal data transfers from the UK to the EU (and vice versa) are permitted because of mutual ‘adequacy’ recognition. However, if personal data from clinical trials is transferred to the US or other countries where protections are not considered adequate, data exporters must provide additional protections.  

Such protections often use the EU’s ‘standard contractual clauses’ (or SCCs). The EU issued SCCs pre-GDPR (‘old’ EU SCCs) then modernised them in June 2021 (‘new’ EU SCCs). Those new EU SCCs were issued after Brexit and could not be used for transfers to which UK GDPR applied, so most UK transfers continued to use the old SCCs.

From 22 September 2022, data exporters must use one of two new UK transfer options for any new arrangements that are subject to UK GDPR.  These are:

• The UK’s International Data Transfer Agreement (IDTA): a standard document which can be signed alongside the main contract between a data importer and a data exporter; or

• The UK addendum to the new EU SCCs: supplements the new EU SCCs with a UK specific addendum to ensure compliance with both EU GDPR and UK GDPR.

The UK has imposed a deadline of 21 March 2024 to replace any existing arrangements entered into based on old EU SCCs, but the EU timeline for this is much earlier: 27 December 2022. In reality, many UK-based life sciences businesses will share data that is subject to both the UK GDPR and the EU GDPR and will therefore require to adhere to the EU deadline (using new SCCs plus the UK ad-dendum).

Life sciences businesses should act now to review their international data transfers to ensure compliance with the changing UK and EU landscapes. The EU’s December deadline is approaching fast, and companies that fail to comply risk not only fines and sanctions, but also significant damage to their trust and reputation.