| Scope and covered activity | IDTA: define the exact products, services, processing, claims, entities, assets, or activities that bring this side into scope; record out-of-scope facts separately. | EU SCCs: test its own scope boundary, exclusions, and covered activity; do not copy the IDTA conclusion without a separate source-linked finding. | Write two scope findings first: where IDTA applies, where EU SCCs applies, and which facts are outside one side even if evidence can be reused. |
|---|
| Who must act | IDTA: the UK exporter and the overseas importer sign the IDTA, and the exporter must ensure the UK transfer tool is in place before the transfer starts. | EU SCCs: the EU exporter and importer sign the Commission SCCs; if a UK transfer uses EU SCCs, the UK Addendum is the extra step rather than the SCCs standing alone. | Name the signing parties and the transfer tool together so the record shows which regime is doing the work. |
|---|
| Trigger or threshold | IDTA: use the IDTA for a UK GDPR restricted transfer when there is no adequacy regulation or exception and the parties need UK standard data protection clauses plus a transfer risk assessment. | EU SCCs: use the Commission SCCs for an EU GDPR restricted transfer; for UK GDPR restricted transfers, the EU SCCs need the ICO Addendum rather than standing alone. | Start with the trigger so teams do not apply the wrong regime to the wrong facts. |
|---|
| Core obligations | The UK IDTA requires exporters to complete a mandatory Transfer Risk Assessment, append the IDTA to the underlying contract covering the transfer, obtain the importer's agreement to the Table 4 provisions, and review the IDTA when the transfer circumstances or importer's country risk profile change materially. | The EU Standard Contractual Clauses require the exporter to select the correct module (controller-to-controller, controller-to-processor, processor-to-processor, or processor-to-controller), complete all optional clauses and annexes, document the Transfer Impact Assessment, and ensure the importer can comply with all SCC obligations in the destination country. | Translate obligations into tickets, notices, records, controls, or contract terms. |
|---|
| Evidence and records | IDTA: keep the evidence that proves this side of the decision, including cited text, registers, policies, test records, contracts, notices, reports, approvals, or audit artifacts. | EU SCCs: keep comparator evidence in a distinct record set and link only the artifacts that genuinely satisfy both source-linked requirements. | Keep source links, factual analysis, owner approval, and implementation evidence together. |
|---|
| Timing and cadence | IDTA: capture the application date, commencement date, transition period, reporting clock, review cadence, remediation window, or certification renewal that controls this side. | EU SCCs: track the comparator schedule separately so a later deadline, recurring audit, or incident timer is not hidden by the other workstream. | Use current source dates; do not reuse old project plans after amendments or guidance updates. |
|---|
| Enforcement or assurance route | IDTA: identify the competent authority, regulator, assessor, customer audit, certification body, contractual remedy, penalty, or supervisory process tied to this side. | EU SCCs: identify the comparator enforcement or assurance route and record where supervision, penalties, market access, certification, or contract leverage differs. | Escalate when enforcement routes differ because a regulator, market-surveillance authority, certification body, customer, or contract counterparty may require different proof. |
|---|
| Overlap and reuse | IDTA: reuse controls only where the source-linked duty, evidence standard, owner, and timing align with the comparator; otherwise keep a bridge note. | EU SCCs can reuse evidence from the other side only when the same fact pattern, system boundary, control, owner, and source-linked requirement are genuinely aligned. | Document overlap explicitly instead of merging both tests into one vague compliance label. |
|---|
| Practical decision rule | IDTA: treat this as the controlling workstream when its scope trigger, deadline, regulator, or required artifact is the immediate blocker. | EU SCCs: run a parallel or follow-on workstream when this side adds separate actors, evidence, timing, penalties, customer assurances, or implementation constraints. | Choose one practical next step: proceed under IDTA, proceed under EU SCCs, run both in parallel, or document why neither side controls the present fact pattern. |
|---|