UK–US Adequacy Decision: Transferring Personal Data to the US

If your business uses US-based software, stores customer data in the cloud, runs email marketing, or has a US supplier, there’s a good chance you’re already transferring personal data to the United States.

For years, that’s been a tricky area under UK GDPR because international transfers require extra safeguards. The UK–US adequacy decision (often called the UK “data bridge”) is designed to make some UK-to-US transfers simpler - but it doesn’t automatically cover every US recipient or every transfer route.

Below, we break down what the UK–US adequacy decision means for small UK businesses, when you can rely on it, what you still need to do, and how to stay compliant without turning your business into a legal project.

What Is The UK–US Adequacy Decision (And Why Does It Exist)?

Under the UK GDPR and the Data Protection Act 2018, you can’t freely send personal data outside the UK unless the destination provides an “adequate” level of protection for individuals’ rights.

In plain English: if you’re moving personal data to another country, UK law expects you to make sure it’s protected to a UK-standard level.

An adequacy decision is the UK government’s formal way of saying:

• “This country (or this scheme) offers protections that are essentially equivalent to the UK’s,” and
• “UK businesses can transfer personal data there without needing extra transfer contracts for that route.”

The UK–US adequacy decision matters because the US historically hasn’t had a single nationwide privacy law equivalent to UK GDPR. Instead, it has a mix of sector-based rules and enforcement, plus specific frameworks for international transfers.

What The UK Has Actually Done

The UK has adopted the UK Extension to the EU–US Data Privacy Framework (often referred to in practice as the UK “data bridge”). This allows UK organisations to transfer personal data to certain US organisations if those US organisations are certified to the EU–US Data Privacy Framework and have signed up to the UK Extension.

That means this isn’t a blanket “the whole US is adequate” decision. It’s closer to: “Transfers to participating US organisations can be treated as adequate.”

This distinction matters, because many transfers won’t qualify automatically - especially if your US vendor hasn’t certified (or can’t certify), or if the relevant service/data type isn’t within the scope of that certification.

Why The UK–US Adequacy Decision Matters For Small Businesses

Most small businesses aren’t “sending data to the US” in an obvious way (like exporting spreadsheets to a US office). It’s usually happening through tools you use every day - for example:

• your CRM platform
• your website analytics
• your email marketing provider
• customer support ticketing tools
• cloud storage and collaboration tools
• outsourced developers, marketing agencies, or virtual assistants

If any of those providers are US-based (or have US servers, or US support access), you may be making restricted transfers under UK GDPR.

The Practical Benefits If You Can Use It

Where the UK–US adequacy decision applies, it can reduce friction by:

• removing (or reducing) the need for extra international transfer paperwork for that specific transfer route
• giving you a clearer compliance story if customers ask where data goes
• helping you streamline procurement and vendor onboarding (especially when choosing SaaS tools)

But it’s not a “set and forget” solution. You still need the basics: a lawful basis for processing, transparency, security, and a clear supplier contract where required.

For many businesses, this is where having a properly drafted Privacy Policy and clear internal data processes makes a big difference - not just to tick a box, but to prevent messy supplier or customer issues later.

When Can You Rely On The UK–US Adequacy Decision?

This is the key question: does your specific transfer qualify?

In most real-world cases, you can rely on the UK–US adequacy decision only when the US recipient is certified to the EU–US Data Privacy Framework and has signed up to the UK Extension - and the transfer is within the scope of that certification.

Typical Scenarios Where It May Apply

You may be able to rely on it if:

• you are transferring personal data from the UK to a US organisation that is certified to the EU–US Data Privacy Framework and has signed up to the UK Extension
• the transfer is within the scope of that organisation’s certification (e.g. the relevant services and data categories are covered)
• you’ve checked and documented that reliance (so you can evidence it later)

How To Verify Certification (And Scope) In Practice

As a practical step, you should:

• check the official Data Privacy Framework list to confirm the organisation is certified and that it covers the UK Extension
• verify the legal entity name matches the entity receiving the data (not just the brand name)
• check the certification status is current, and review what services/data types are included
• keep a dated screenshot or PDF of the listing as evidence for your records

Scenarios Where It Often Does Not Apply

You may still need alternative safeguards where:

• your US supplier is not certified (or has not signed up to the UK Extension)
• the supplier is a subcontractor or “onward recipient” that isn’t covered
• the transfer route involves multiple countries (for example, your tool is US-owned but hosts in another non-adequate country)
• you’re dealing with a complex group structure and data moves between entities (e.g. a UK company to a US parent company’s HR system)

In those cases, you’ll usually need an appropriate transfer mechanism such as the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses - and you’ll typically need to carry out and document a transfer risk assessment (often referred to as a TRA) for that transfer route.

In other words: don’t assume that “US company = covered”. You need to verify the status of the recipient and keep a record.

What About EU Rules - Do They Automatically Cover The UK?

Not automatically. The UK has its own GDPR regime (UK GDPR) and its own international transfer rules. Even if you’re familiar with EU approaches, your UK compliance still needs to stand on its own footing.

If you operate in both the UK and EU, you may need to consider both regimes side-by-side (and in some cases run a dual-compliance approach).

What You Still Need To Do (Even If The UK–US Adequacy Decision Applies)

A common misconception is that an adequacy decision removes all GDPR obligations for that vendor relationship. It doesn’t.

Even if the UK–US adequacy decision covers the international transfer piece, you still need to get the rest of your compliance right.

1. Confirm Your Role: Controller Or Processor

Start with the basics:

• If you decide why and how personal data is used, you’re usually the controller.
• If a supplier processes personal data only on your instructions (e.g. a cloud CRM), they’re usually a processor.

This matters because controller–processor relationships require specific contractual terms under UK GDPR.

In many cases, you’ll want a proper Data Processing Agreement (or robust processor clauses within a broader supplier agreement) so the vendor is contractually bound to protect the data, follow your instructions, and help you meet your legal obligations.

2. Keep Your Vendor Due Diligence Practical (But Real)

You don’t need a 40-page risk report for every tool you use - but you do need a sensible level of checks and documentation.

For UK-to-US transfers, that typically includes:

• confirming whether the vendor is certified to the EU–US Data Privacy Framework and has signed up to the UK Extension (and keeping a screenshot/record)
• checking where data is hosted and where support teams can access it from
• reviewing security measures (access controls, encryption, incident response)
• understanding their subcontracting chain (especially if data could be shared onward)

If you store customer or staff data in cloud tools, it’s also worth sanity-checking common setups - for example, whether your chosen storage solution is suitable under UK GDPR. (This question comes up a lot with cloud drives; see issues like Google Drive and GDPR compliance.)

3. Make Sure Your Privacy Information Is Accurate

UK GDPR requires you to tell people what you do with their personal data, including international transfers where relevant.

That usually means your external-facing documents (and internal notices, if you have staff) should clearly explain:

• what data you collect
• why you collect it
• who you share it with (including key categories of suppliers)
• whether data may be transferred outside the UK
• what safeguards you rely on (for example, the UK–US data bridge/UK Extension route where applicable, or IDTA/UK Addendum where it doesn’t apply)

This is one reason a tailored Privacy Policy is so important - generic wording often misses what your business actually does, especially if you’re using multiple SaaS tools that involve overseas access.

4. Don’t Forget Data Subject Rights And SARs

If someone asks for a copy of their personal data (a Subject Access Request), you need to be able to respond properly and within the required timeframes.

International transfers don’t change that obligation - but they can make it harder if you don’t have control over what your suppliers hold and how quickly they can export it.

Many small businesses find it helpful to set up a simple internal process and template documents early, including an Access Request Form to streamline requests and reduce the risk of missing key info.

5. Put A Data Sharing Structure In Place Where Needed

If you’re sharing personal data with other organisations (not just using a processor), you may need a more specific arrangement to define responsibilities - for example, where two businesses work together on a campaign, an event, or a joint customer offering.

In those cases, a Data Sharing Agreement can be a practical way to reduce confusion and show you’ve properly governed how personal data moves between parties.

Common Traps With UK–US Data Transfers (And How To Avoid Them)

Even with the UK–US adequacy decision in play, there are a few “classic” ways businesses get caught out. The good news is that most of them are fixable once you know what to look for.

Trap 1: Assuming Your Vendor Is Covered Without Checking

Many popular vendors have complex corporate structures - a UK reseller, an EU entity, and a US parent, plus subcontractors and support operations around the world.

From a compliance perspective, the only safe approach is to confirm:

• who your contract is actually with
• who receives the data
• where the data is stored and accessed
• whether that recipient is covered by the UK Extension to the EU–US Data Privacy Framework (or whether you need IDTA/UK Addendum + a TRA)

If you’re ever challenged (by a customer, a partner, or a regulator), being able to evidence that you checked is the difference between a manageable compliance conversation and a stressful one.

Trap 2: Ignoring “Onward Transfers”

Even if your direct US supplier is covered, that supplier may use sub-processors (for hosting, support, analytics, fraud detection, etc.).

This matters because onward transfers can create new transfer routes that may not be covered by the same adequacy mechanism.

Practically, your supplier contract should require transparency and control around sub-processors - and you should actually read the vendor’s subprocessor list (at least for high-risk tools).

Trap 3: Not Updating Your Contracts

The adequacy route may simplify some transfers, but it doesn’t remove the need for appropriate terms around:

• confidentiality
• security obligations
• breach notification timeframes
• audit/assurance
• help with SARs and deletion requests

If a supplier is processing personal data on your behalf, you typically need UK GDPR-compliant processor terms - which is why a properly drafted Data Processing Agreement is often a core document in your toolkit.

Trap 4: Rolling Out New Tech Without A Policy

AI tools, browser-based plugins, and “free” productivity apps can create unexpected US transfers (or unexpected data sharing generally).

If your team is using personal devices or personal accounts for business work, the risks multiply quickly - especially if client data or employee data is involved.

This is where internal guardrails help, like an Acceptable Use Policy that sets clear rules on what tools staff can use, how data should be stored, and what to do if something goes wrong.

Trap 5: Treating This As Only A “Tech Company” Issue

This isn’t just for SaaS startups.

To make it concrete, imagine:

• you run an online shop and use US email marketing + US analytics
• you’re a consultancy and store client notes in a US-based workspace tool
• you’re a small agency and use US project management software with client personal data inside

All of these can involve UK-to-US personal data transfers. If you’re collecting names, emails, phone numbers, IP addresses, or even staff HR details, it’s worth getting the transfer position right early, while your systems are still simple.

Key Takeaways

• The UK–US adequacy decision (the UK Extension to the EU–US Data Privacy Framework) can make certain UK-to-US personal data transfers easier, but it is not a blanket approval for all transfers to the US.
• You can usually rely on this route only where the specific US recipient is certified to the EU–US Data Privacy Framework and has signed up to the UK Extension (and your transfer is within scope).
• If the recipient isn’t covered, you’ll generally need an IDTA or UK Addendum plus a documented transfer risk assessment for that transfer route.
• Even where adequacy applies, you still need UK GDPR basics in place: transparency, security, lawful basis, and appropriate supplier contracts.
• For many small businesses, the biggest practical steps are: keeping a vendor list, checking certification/coverage, updating privacy wording, and putting proper processor terms in place (often via a Data Processing Agreement).
• Watch out for common traps like onward transfers, unclear vendor group structures, and staff using unapproved tools without an internal acceptable use policy.
• If you’re unsure whether your tools and suppliers are covered, getting advice early is usually cheaper (and far less stressful) than untangling it later after a complaint, breach, or due diligence request.

If you’d like help reviewing your UK–US data transfer position, your Privacy Policy, or the contracts you use with suppliers, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.