If your firm serves clients outside the UK, you are transferring personal data across borders. Portfolio valuations sent to expat clients. Documents shared with overseas counsel. Client records held in cloud platforms hosted in the United States. CRM data accessed by a team member working from Dubai. Every one of these is a data transfer with specific legal requirements – and most firms have never mapped them.
The regulatory landscape shifted substantially in 2025. The Data (Use and Access) Act 2025 (DUAA) rewrote the UK's international transfer framework. The EU renewed its adequacy decision for the UK in December 2025 – but with conditions. The ICO published comprehensively updated guidance in January 2026. And enforcement actions across Europe, including fines of €530 million against TikTok and €290 million against Uber for transfer failures, have made clear that getting this wrong carries real consequences.
This guide explains the current rules, identifies where the gaps are, and provides a practical framework for firms that need to get this right.
What counts as a transfer
The starting point is knowing when the rules apply. Not every movement of data across a border is a "restricted transfer" under UK GDPR – but many routine activities are, and firms regularly underestimate their exposure.
The ICO's updated guidance, published on 15 January 2026, introduces a three-step test. A transfer is restricted if all three conditions are met: UK GDPR applies to the processing; your organisation initiates the transfer to a recipient outside the UK; and the recipient is a separate legal entity, including a separate company within the same corporate group.
The practical implications are important. An employee accessing your systems while travelling abroad is not a restricted transfer – they are the same legal entity. But sharing client files with an overseas subsidiary is a restricted transfer, even within your own group, because the subsidiary is a separate legal person. Cloud storage with a provider outside the UK constitutes a restricted transfer. A client providing their own data to your UK firm does not trigger the rules from the UK perspective. A processor returning data to its overseas controller is not initiating a transfer.
These distinctions matter because many firms assume that "our data stays in the UK" when it does not. Microsoft 365, Salesforce, Google Workspace, HubSpot, practice management systems, video conferencing platforms, HR software – all of these may route data through servers outside the UK, and each represents a potential restricted transfer that requires a legal basis.
The UK–EU adequacy decision: renewed, but not unconditional
The question that dominated 2025 was whether the EU would renew the UK's adequacy status. The original adequacy decisions, adopted on 28 June 2021, contained a four-year sunset clause that expired on 27 June 2025. Without renewal, every UK firm transferring personal data to or from the EU would have needed to implement alternative transfer mechanisms overnight.
The European Commission renewed the adequacy decisions on 19 December 2025, valid until 27 December 2031. This provides six years of stability – two years longer than the original term. The renewed decision is also a full adequacy finding, removing the previous exclusion for immigration-related data.
For firms with EU-based clients, colleagues, or service providers, this means UK–EU data flows continue without the need for Standard Contractual Clauses, IDTAs, or Transfer Risk Assessments. The practical relief is significant.
But the renewal was not automatic, and the conditions attached to it matter. The Commission included a new mechanism that allows it to require the UK to change its law within three months if it determines that protection is no longer adequate, failing which the decision can be suspended or repealed. A mid-point review is scheduled for 2029. The European Data Protection Board, in its opinions endorsing renewal, flagged several areas for ongoing monitoring: the UK government's expanded powers to make changes to international transfer rules via secondary legislation; the new "not materially lower" standard for UK adequacy assessments of third countries (which the EDPB considers less rigorous than the EU's "essential equivalence" test); and concerns about Technical Capability Notices requiring companies to circumvent encryption.
The House of Lords European Affairs Committee estimated the cost to UK businesses of losing adequacy at £1.0 to £1.6 billion. That cost has been deferred, not eliminated. Prudent firms should understand that the 2029 review will be closely watched, and that maintaining contingency transfer mechanisms is sound practice.
Beyond the EU: where adequacy ends and complexity begins
The EU adequacy decision covers the most common transfer corridor for UK firms, but it is far from the only one. Any firm with clients, offices, or service providers outside the UK's list of adequate countries faces a different compliance challenge.
Countries with UK adequacy
The UK recognises the following as providing adequate protection: all 27 EU member states plus Iceland, Norway, and Liechtenstein; Andorra, Argentina, the Faroe Islands, Gibraltar, Guernsey, the Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, and Uruguay. Canada has partial adequacy, limited to organisations subject to PIPEDA. The United States has partial adequacy through the UK-US Data Bridge, limited to organisations certified under the UK Extension to the EU-US Data Privacy Framework.
Transfers to any of these countries require no additional mechanism – no IDTA, no SCCs, no TRA.
The UK-US Data Bridge: important limitations
The UK-US Data Bridge has been operational since October 2023, but its scope is narrower than many firms realise. It covers only US organisations that have self-certified with the Department of Commerce under the UK Extension to the EU-US Data Privacy Framework. Only organisations subject to the Federal Trade Commission or the Department of Transportation are eligible. This means banks, insurers, and telecommunications companies are excluded.
For wealth management firms, this is a critical gap. If your firm transfers client data to a US-based banking affiliate or insurance partner, the Data Bridge does not apply. You will need an IDTA with a completed Transfer Risk Assessment, regardless of the US entity's data protection standards.
The Data Bridge's long-term durability is also uncertain. The EU-US Data Privacy Framework survived a legal challenge when the EU General Court dismissed the Latombe case in September 2025, but an appeal was filed in October 2025. NOYB, the organisation behind the Schrems litigation, has signalled a broader challenge may follow. The Trump administration's paralysis of the Privacy and Civil Liberties Oversight Board – a key oversight mechanism in the DPF architecture – adds to the uncertainty.
Notable gaps in the adequacy list
Australia, India, Singapore, the United Arab Emirates, and Brazil are all absent from the UK's adequate countries list. Any firm transferring personal data to these jurisdictions needs a transfer mechanism in place.
The EU adopted a mutual adequacy decision with Brazil on 10 February 2026 – but the UK has not followed suit. A firm with both UK and EU operations may find that its German office can transfer data to Brazil freely, while its London office cannot. This kind of divergence between UK and EU adequacy lists will become more common as both jurisdictions make independent assessments.
For firms serving expat clients in the Middle East and Asia, the compliance position is particularly demanding. The UAE and Singapore both have their own data protection laws with data localisation requirements that may conflict with cross-border access needs. A UK financial adviser sending portfolio reports to a client in the UAE needs an IDTA covering the transfer, plus awareness that the UAE Central Bank requires licensed financial institutions to store customer data within the UAE.
Crown Dependencies: the straightforward case
Jersey, Guernsey, and the Isle of Man all hold both UK and EU adequacy. Data flows between the UK, the Crown Dependencies, and the EU are entirely frictionless – no transfer mechanism or risk assessment is required. For wealth management and financial services firms with Crown Dependencies entities, this is the simplest part of the international transfer landscape.
Gibraltar has UK adequacy but does not have EU adequacy. EU entities transferring data to Gibraltar must use SCCs or another Article 46 safeguard.
Transfer mechanisms: what to use when adequacy doesn't apply
When transferring personal data to a country without UK adequacy, firms need one of the following mechanisms in place.
The IDTA and UK Addendum
The ICO's International Data Transfer Agreement has been in force since March 2022. It is a single document covering all party relationships – controller to controller, controller to processor, processor to processor, and processor to controller. Completion requires four tables covering the parties, transfer details, security requirements, and any extra protection clauses. A Transfer Risk Assessment must accompany every IDTA.
For organisations already using the EU's Standard Contractual Clauses for EU GDPR transfers, the UK Addendum is the more practical choice. It attaches to the EU SCCs and modifies them to work under UK GDPR, avoiding the need for a standalone IDTA. Both provide equal legal standing.
The ICO's January 2026 guidance confirmed that the IDTA can now be incorporated into contracts by reference rather than attached in full – a small but useful practical improvement.
Transfer Risk Assessments
TRAs are mandatory for any restricted transfer that relies on an IDTA, UK Addendum, or other Article 46 safeguard. They are not required for transfers to adequate countries. The ICO updated its TRA tool on 15 January 2026, using six questions that assess the circumstances of the transfer, the risk level of the data, the destination country's legal framework, human rights risks, enforceability of safeguards, and any exceptions.
The ICO's approach is deliberately more practical than the European Data Protection Board's methodology. Rather than requiring a comprehensive comparison of the destination country's entire legal system, the ICO focuses on whether the transfer significantly increases risk to individuals compared with processing in the UK. Existing TRAs that concluded adequate protection are deemed to satisfy the new statutory "data protection test" introduced by the DUAA – firms do not need to redo them.
Derogations: the last resort
Article 49 of UK GDPR provides derogations for specific situations, but these are narrow and cannot be used for regular, repetitive, or bulk transfers. For professional services, the most relevant derogations are: the transfer is necessary for the performance of a contract between the firm and the client (requires a close and substantial connection to the specific transfer); the transfer is necessary for the establishment, exercise, or defence of legal claims; or the individual has given explicit consent after being informed of the risks.
The contract performance derogation is useful for occasional transfers – sending a specific document to a specific client for a specific purpose. It cannot support ongoing, systematic data flows. The legal claims derogation covers cross-border litigation, arbitration, and regulatory investigations, but requires a connection to a specific claim, not a general possibility of future disputes.
Binding Corporate Rules
BCRs are available for multinational groups and provide the most comprehensive framework for intra-group transfers. Several large professional services firms hold approved BCRs, including BDO, Ernst & Young, Linklaters, Latham & Watkins, and Marsh McLennan. For firms of this scale, BCRs make operational sense.
For mid-size firms, they do not. Full BCR approval takes up to two years and costs upwards of £100,000 in legal fees. The ICO published a UK BCR Addendum in December 2023, which simplifies matters for firms that already hold EU-approved BCRs, but the initial investment remains prohibitive for most professional services practices.
Sector-specific challenges
Financial advisers and wealth managers
A UK-regulated IFA with expat clients faces distinct transfer scenarios depending on where the clients are located. UK to EU is covered by the renewed adequacy decision – no additional mechanism needed. UK to the Crown Dependencies is similarly straightforward.
Transfers to non-adequate jurisdictions are more complex. A client in the UAE requires an IDTA with TRA. A client in Singapore requires the same. If your firm uses a US-based custodian or platform provider that is not DPF-certified – or is a bank or insurer, which the Data Bridge does not cover – you need an IDTA for that relationship too.
The FCA does not publish standalone guidance on international data transfers, deferring to the ICO. But FCA requirements intersect: FG16/5 on cloud outsourcing requires firms to ensure data are not stored in jurisdictions that would inhibit effective access for UK regulators. SYSC 8 prohibits outsourcing arrangements that would impair the FCA's ability to monitor compliance. If your cross-border transfer arrangement means the FCA cannot access client records, you have a regulatory problem beyond data protection.
Law firms
The Solicitors Regulation Authority addresses international group structures directly. For firms in international groups with separate legal entities (such as Verein structures), the SRA requires informed client consent before sharing confidential information with entities in other jurisdictions. Partners should discuss with clients where data will be shared, including to which entities and in which jurisdictions.
The legal claims derogation under Article 49(1)(e) is the most directly relevant mechanism for cross-border litigation. The EDPB has confirmed it covers formal pre-trial discovery, arbitration, and regulatory investigations. But each transfer must be connected to a specific legal claim – it cannot be invoked on the possibility of future disputes. Legal professional privilege does not automatically extend across jurisdictions, creating an additional layer of risk when sharing documents with overseas counsel.
Marketing across borders
Any firm marketing to clients in multiple countries faces an additional compliance layer. This is where data protection intersects with electronic communications regulation, and where the rules are least clear.
PECR governs electronic marketing from the UK, but its territorial reach is genuinely uncertain. Legal analysis has concluded that it is impossible to say with certainty whether PECR applies based on the sender's location, the recipient's location, or both. In practice, UK firms marketing to EU-based clients should comply with both PECR and the relevant national ePrivacy implementation in the recipient's country.
EU GDPR applies to UK firms under Article 3(2) when they offer goods or services to, or monitor the behaviour of, EU data subjects. A UK financial adviser actively marketing wealth management services to clients in France or Germany falls within EU GDPR scope, regardless of where the firm is based.
For consent management, a firm with a single website serving clients across jurisdictions needs to apply the strictest applicable standard for each user's location – PECR requirements for UK visitors and the relevant national ePrivacy rules for EU visitors. Analytics platforms that process data in the US create their own transfer questions. The Data Privacy Framework currently provides a lawful basis for transfers to DPF-certified platforms like Google, but its long-term stability is not guaranteed.
The EU's ePrivacy Regulation, which would have replaced the patchwork of national ePrivacy implementations, was formally withdrawn on 11 February 2025 after years of stalemate. The existing ePrivacy Directive and its 27 national transpositions remain in force for the foreseeable future – meaning firms marketing across the EU must navigate country-by-country variations in electronic marketing rules.
What firms should do now
The December 2025 adequacy renewal provides a stable foundation for UK–EU transfers, but it does not address the full picture for firms with international clients. The following steps represent a proportionate compliance framework for mid-size professional services firms.
Map your data flows. Identify every transfer of personal data outside the UK. This includes the obvious transfers – documents sent to overseas clients, data shared with international offices – and the hidden ones: cloud services, email platforms, CRM systems, analytics tools, IT support providers, and video conferencing platforms. Apply the ICO's three-step test to each flow.
Check adequacy coverage. For each transfer, verify whether the destination country holds UK adequacy. If it does, no further mechanism is needed. If the US is involved, check whether the specific recipient is DPF-certified under the UK Extension – and remember that banks and insurers are excluded.
Implement IDTAs where needed. For transfers to non-adequate countries, put an IDTA (or UK Addendum if already using EU SCCs) in place. The ICO's January 2026 guidance confirms these can now be incorporated by reference into existing contracts.
Complete Transfer Risk Assessments. Every IDTA requires an accompanying TRA. The ICO's six-question tool provides a structured, proportionate framework. Existing TRAs remain valid under the new DUAA statutory test provided the underlying risk profile has not changed.
Review your US relationships. If your firm uses US-based service providers, verify their DPF certification status. For relationships with US banks or insurers, the Data Bridge does not apply – IDTA plus TRA is required.
Understand your Crown Dependencies position. If your firm has entities in Jersey, Guernsey, or the Isle of Man, transfers to and from the UK and the EU require no mechanism. This is the straightforward part.
Plan for contingency. The UK–EU adequacy decision runs to 2031 with a mid-point review in 2029. Maintain IDTA templates and ensure your contracts include fallback provisions in case adequacy is ever revoked. This is not alarmism – it is the standard contingency planning that the adequacy decision's own sunset clause invites.
Consider the marketing dimension. If you market to clients across borders, review your consent mechanisms, privacy notices, and analytics setup against both PECR and the applicable local rules in your clients' jurisdictions. A single website serving multiple jurisdictions needs a consent architecture that reflects the strictest applicable standard.
Cross-border data protection is not a one-time exercise. Transfer mechanisms need review as your firm's operations change, as adequacy decisions are made or revoked, and as enforcement trends develop. The firms that manage this well are the ones that treat international data flows as an integral part of how they serve clients, not as something to address once the regulator comes asking.
This is work that sits at the intersection of data protection and operational reality: understanding the regulatory framework, mapping it to how your firm actually operates, and building the transfer architecture that keeps client data flowing lawfully. It is the kind of work Penby does every day, for firms whose international clients are central to their business.