The UK-US Data Bridge is active…

The EU-US Data Privacy Framework (DPF) is a landmark set of rules and binding safeguards that govern the transfer of personal data between the EU and the US. The European Commission adopted its adequacy decision on the DPF on 10 July 2023 and it came into force the same day.

The UK adopted the DPF in October 2023 – known as the UK-US Data Bridge.

When a US organisation has been certified and publicly listed on to the Data Privacy Framework List (DPF List) on the DPF website they can then sign up to the UK Data bridge extension and receive UK personal data.

Actions needed before transferring personal data to the US:

  1.  Assess whether data needs to be transferred.
  2. Check that the organisation is on the DPF list.
  3. Check that the organisation has signed up to the UK extension and if wishing to transfer Human Resources Data (HR) data check to see if HR is covered by its’ commitments (click on relevant privacy policy link within listing).

If you cannot rely on the UK Data Bridge extension, you will need to revert to a pre-existing safeguard – a risk assessment is advised to validate any transfers.

The Data Bridge does have advantages for UK organisations.  After a period of uncertainty there is now a safeguard framework with advanced security, reduced compliance costs and quicker resolutions for any disputes around data.

However, the transfer is done records must be kept in good order, including Records of Processing Activity (RoPA), contracts and agreements, internals data protection policies, privacy notices and more.  Robust supplier due diligence is also required.   Cyber & Data Protection can help you with all of these…if you need help give us a call.