1 Executive summary

1.1 Introduction

The Department for Science Innovation and Technology (DSIT) commissioned Ipsos to conduct qualitative research as a follow-up to the quantitative 2024 UK Business Data Survey. The purpose of the research was to gain a better understanding of why and how businesses transfer data internationally. Twenty-two qualitative in-depth interviews were conducted with UK businesses between February and April 2024. All twenty-two businesses interviewed transferred data internationally.

1.2 Overarching findings

Businesses used international data transfer tools, often due to contractual obligations, but knowledge of them varied

Awareness and knowledge of international data transfer tools varied significantly among businesses. Smaller (sole traders, micro and small) businesses were less aware of international data transfer tools and were concerned about their complexity and cost.

The use of international data transfer tools often depended on contractual obligations rather than proactive purposeful choice. Standard contractual clauses were generally the preferred and most used international data transfer tool, followed by data adequacy and binding corporate rules. Some businesses, regardless of size, would have faced challenges if data transfer tools were unavailable.

Understanding of the UK’s new data bridge with the United States and the Republic of Korea was generally limited, even among businesses aware of them. However, businesses generally reacted positively once informed.

International data transfer was crucial for businesses and client driven

Businesses that participated in this research could not operate effectively if they were unable to transfer data internationally as it was a well-established practice. Data was transferred commonly to Europe and the United States, with sensitive data such as customer information and payroll information being shared.

Businesses used methods they thought of as safe, relying on contractual agreements and established online platforms to transfer data internationally. Email was frequently used to transfer data internationally, along with secure platforms such as Virtual Private Networks (VPNs) and cloud services.

Although there were other decision factors such as resources available, nature, perceived sensitivity, size and type of data, the choice of method to transfer data internationally was client-driven. Despite lacking awareness of regulations, businesses valued data protection and followed client methods for transferring data internationally.

Businesses identified data localisation benefits and challenges

Businesses lacked awareness of data localisation but identified commercial advantages and disadvantages after it had been explained. Some saw it as beneficial for security and compliance, while others noted increased costs and operational challenges.

Businesses generally did not struggle with international data storage requirements and had a limited understanding of data flow barriers, though a few have been impacted by them.

2 Introduction

2.1 Research context

The 2024 UK Business Data Survey (UKBDS) is a telephone and online quantitative study of UK businesses. It focused on the role of digital data in UK businesses, international transfers of data and activities for data protection compliance. The results of the quantitative study can be found here.

Following the quantitative 2024 UKBDS study the Department for Science Innovation and Technology (DSIT) commissioned Ipsos to conduct qualitative research. This was to explore some themes in more detail. Particularly those that are hard to cover quantitatively in the 2024 UKBDS.

The purpose of the research was to get a better understanding of why and how businesses transfer data internationally.

2.2 Research aims

The aims of this research were to:

• understand businesses and the data that they share internationally
• understand businesses awareness of international transfer tools including data bridges
• understand businesses awareness of data localisation

2.3 Methodology

Ipsos conducted 22 qualitative in-depth interviews between February and April 2024 with UK businesses. Research was conducted with a range of UK businesses to understand a variety of perspectives on data protection topics. The businesses ranged in size and industrial sector, but all came from the 9% of businesses that say their business transfers (sends or receives) data with other organisations, businesses or people based outside of the UK.

A recruitment screener was used to ensure eligibility for the research. A recruitment screener was also used to ensure a spread of business size, sector, turnover and location. Refer to the Annex to this report for a breakdown of subgroups interviewed. Participant role varied, but all held positions of responsibility for data in their business and they tended to make decisions on transferring data internationally. Those in larger (medium and large) businesses tended to have specialist roles.

A discussion guide was developed by the Ipsos and DSIT research teams. This was to ensure the relevance of all questions asked. The discussion guide used in interviews with businesses is included in annex 1 to this report.

Interviews with businesses lasted between 45 and 60 minutes and were conducted via Microsoft Teams or telephone. Ipsos provided a ‘thank you’ payment of £60 to businesses either in the form of a charity donation or shopping voucher, dependent upon the participant’s preference.

2.4 How to read this report

Please see the glossary and abbreviations section in annex 2 for full details of the terminology used in this report.

Direct quotes have been included in this report to illustrate and highlight key points and common themes. Where direct quotes are used, they have been anonymised and attributed with the business sector and size.

The size of the business sizes are defined as follows:

• sole trader
• micro: business with 1 to 9 employees
• small: business with 10 to 49 employees
• medium: business with 50 to 249 employees
• large: business with more than 250 employees

Please note that 2 or more different participants may have the same information in the attributions for their quotes.

2.5 Interpretation and generalisability of findings

The findings in this report are intended to provide insight into the behaviours, views, and experiences of a range of businesses. By design, the research set out to capture a rich and detailed understanding of different behaviours, views, and experiences. This research did not set out to determine the prevalence of these behaviours, views, and experiences.

Where the report indicates that ‘few’, ‘some’, or ‘many’ businesses experienced or felt something, this is in relation to the research participants only. Findings cannot be considered representative of the entire UK business population and should not be interpreted as generalisable to the entire business population.

3 Understanding businesses that participated and the data that they transferred internationally

3.1 Transferring data internationally was essential to business function

Most businesses that participated in the research had been established for more than 10 years and had begun to transfer data internationally as soon as they were established.

Transferring data internationally was essential to business function for all businesses that participated in this research irrespective of their size or sector. Transferring data internationally was central to working with clients, colleagues and third-parties in other countries. Businesses reported that they could not operate effectively if they were unable to transfer data internationally.

3.2 Businesses that participated were most often transferring data between the UK, the EU, and United States

Businesses that participated in the research transferred data to a wide range of countries. The most frequently mentioned countries and regions for international data transfer were the United States, Germany, and various other countries within Europe such as France, Ireland, Poland, and Sweden.

Businesses transferred data less frequently to other regions such as Asia to countries like India, China, Japan, and the Philippines. Businesses also transferred data less frequently to the Middle East to countries such as the United Arab Emirates, Qatar, and Saudi Arabia.

There tended to be no change to where businesses transferred data in the last 5 years among businesses that participated.

3.3 Businesses regularly transferred sensitive digitised personal data

Businesses tended to transfer sensitive digitised personal data. They tended to transfer multiple types of data internationally at the same time. The following types of data were the most commonly transferred by businesses that participated:

• customer contact information such as names and email addresses as well as customer behaviour such as buying habits, websites visited, and links clicked
• human resources data such as sensitive employee data and pay roll information
• social media data such as data from LinkedIn
• financial accounting, market, sales and website data such as pricing and product data files as well as product catalogues
• scientific, analytical, and research and development data such as data from research trials and Artificial Intelligence training data

3.4 Businesses used a variety of methods to transfer data internationally

Email was a common method used to transfer data internationally among businesses that participated, due to its convenience, ease, and universality. Data was often protected by businesses, for example, through password encryption and two-factor authentication. This was because protecting data provided reassurance that data was safe and would be transferred by a secured method.

A variety of other methods were also used to transfer data internationally by businesses, which businesses said provided reassurance that data had been protected. Examples included Cisco AnyConnect, Slack, Teams, Zoom, Google Drive, WhatsApp, Secure File Transfer Protocol delivery, Application Programming Interfaces, Virtual Private Network, OneDrive, Dropbox, WeTransfer, shared servers, and Amazon Web Services.

Larger (medium and large) businesses that participated tended to use more sophisticated methods like cloud sharing platforms and secured servers to transfer data internationally.

3.5 Businesses generally lacked awareness of international data regulations but valued data protection, fearing the misuse of data could cause harm

Businesses that participated generally lacked awareness of regulatory requirements linked to data processing internationally. However, protecting data was seen as important, particularly when data being transferred internationally was sensitive. Businesses that participated perceived data to be sensitive on the basis it could cause harm if mishandled.

Contractual agreements were often in place which included clauses related to GDPR and other regulatory requirements. This often prompted some conscious and unconscious awareness of regulatory requirements among smaller (sole traders, micro and small) businesses that participated.

3.6 Clients determined the method used to transfer data internationally, but other factors applied too

Clients were often the initiators of transferring data internationally, especially if they shared data first. This was based on their own approach to regulatory compliance.

Businesses often followed client lead of transferring data internationally which then became an established practice. For smaller businesses that participated, this could often lead to client-driven transfer practices becoming established.

Businesses often used different methods to transfer data internationally for different clients. In some cases, once formal relationships with clients had been established, a Secure File Transfer Protocol (SFTP) could be set-up which could put an end to transferring data via email.

Although the choice of method to transfer data internationally was generally driven by clients with businesses following their lead, there were other factors that had an influence. These included:

• the resources such as financial means and time available to transfer data
• the nature of data being transferred such as its perceived sensitivity and confidentiality
• the size of the data, for example larger files being shared internet-based computer file transfers service or online file hosting services instead of email
• the type of the data such as HR data and customer contact information and behaviour

4 Businesses’ awareness, views and use of international transfer tools and data bridges

4.1 Familiarity with international tools across all business sizes was on a spectrum and was often driven by current use

Participants were shown 3 legal frameworks that allow the legal transfer of data internationally during interviews as well as data bridges which was related to data adequacy. Their prompted and unprompted views were gathered following this.

The 3 legal frameworks that allow the legal transfer of data internationally shown to participants as well as data adequacy were:

• Standard contractual clauses: clauses inserted into contracts which provide appropriate data protection safeguards under GDPR to personal data being sent internationally to a non-adequate country. 
• Binding corporate rules: Binding corporate rules are designed to provide appropriate safeguards for making internal or intragroup restricted transfers. They are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures, or professional partnerships.
• Data ‘adequacy’: a status granted by the UK to countries which provide high standards of protection for personal data. 
• ‘Data bridges’: the governments preferred public terminology for ‘data adequacy’ at the time of the research. It describes the decision to permit the flow of personal data from the UK to another country without the need for further safeguards.

Among businesses that participated, familiarity with international transfer tools across all business sizes fell on a spectrum from no familiarity (where the interview was the first time participants had heard about international transfer tools) to good familiarity (where participants spoke about these tools confidently).

Overall awareness of international transfer tools tended to be low. Businesses were often unable to relate to the term ‘tools’ and did not view them as such.

However, some businesses that had good familiarity with international transfer tools tended to use them when transferring data internationally. This was often in contrast to businesses that had no or little familiarity with the tools, and whose approach to transferring data was client-driven, often using less sophisticated methods such as email.

4.2 Smaller businesses generally had less awareness and knowledge about international transfer tools compared to larger businesses

Smaller businesses tended to have little or no awareness and knowledge about international transfer tools. They were often aware of the concept of international transfer tools but not specific terms such as standard contractual clauses, binding corporate rules, and data adequacy including data bridges.

Compared to smaller businesses, larger businesses generally had more awareness and knowledge of international transfer tools. This was often driven by the inclusion of data protection clauses in their contracts. Some larger businesses assumed clients within the EU were covered by GDPR, which they perceived as a form of data adequacy.

Participants who did not know about or use international transfer tools were asked their opinions after learning about tools that allow the legal transfer of data internationally.

These participants, particularly from smaller businesses, generally raised concerns about their use. They perceived all types of international transfer tools as being costly, confusing, and complex due to the legalistic language used.

Some smaller businesses felt that international transfer tools were more relevant for other businesses including those transferring personal data, or for larger, corporate, or professional businesses. This was for example on the basis that smaller businesses may follow a code of practice when transferring data internationally, but would not have rules in place.

Some businesses that felt this way were not aware that international transfer tools were only for transferring personal data.

4.3 Businesses used the same data transfer approach internationally as they did within the UK

Among businesses that participated, the approach to transferring data internationally generally did not differ from how they transferred data within the UK. This was often because businesses felt that if an approach was tried and tested in the UK setting, it would be likely to be applicable internationally too.

4.4 International transfer tool use was on a spectrum and were used for various reasons, including client requirements and data security

Among businesses that participated, the use of international transfer tools across all business sizes was on a spectrum. Businesses tended to fall into one of 3 following categories:

• Firstly, businesses not using international transfer tools. These businesses relied on emails as well as the security of VPNs and file hosting services to transfer data internationally
• Secondly, businesses unaware of international transfer tools but could be using them unknowingly. For example, another part of the business might be using international transfer tools, or they relied on their legal department to ensure that proper frameworks were followed
• Thirdly, businesses using international transfer tools such as standard contractual clauses, binding corporate rules, and data adequacy

Businesses that used international transfer tools were doing so for a range of reasons that included client requirement, or inclusion in business contracts. Preventing data breaches and ensuring data safety and security as well as legal compliance were other reasons why businesses used international transfer tools.

4.5 Businesses used data adequacy and data bridges for transferring data internationally

Among businesses that participated, the use of data adequacy and data bridges was generally driven by their inclusion in business contracts which tended to be client driven. Their use facilitated the transfer of data to several countries which included Canada, Iceland, Israel and the United States as well as Europe.

Some participants assumed automatic use of data adequacy when working with Europe and the United States, although they were unaware of the countries’ adequacy agreements with the UK. In some cases, this was based on the perception that these territories uphold high standards in data protection.

4.6 Businesses preferred standard contractual clauses and data adequacy over binding corporate rules

Businesses were asked for their views towards international transfer tools. For businesses who had used international transfer tools, this was also based on their experience.

There tended to be a preference for the use of standard contractual clauses and data adequacy among larger businesses that participated. Binding corporate rules generally lacked appeal.

Standard contractual clauses

Standard contractual clauses were generally used as standard with clients among businesses that participated. The use of standard contractual clauses tended to be routine and well-established. Reasons for this included standard contractual clauses being easy and straightforward to put into contracts once drawn up.

For some businesses, standard contractual clauses provided assurance even when data adequacy was in place. This was because it was felt that they provided a safety-net and clearly explained processes of dealing with data.

However, some participants also mentioned that standard contractual clauses could be costly and take time to draw up and negotiate.

Data adequacy

Some businesses used data adequacy and data bridges which provided comfort and assurance to a certain extent. However, they still used standard contractual clauses which were written into contracts as they provided clarity on responsibilities, a safety-net and ease.

For some businesses that participated, data adequacy was used in Europe and Canada with standard contractual clauses being used elsewhere.

Some participants felt that data adequacy was cheaper and straightforward. For example, that they would not need to necessarily be included into contracts. Some participants also expressed a desire for the UK to have data adequacy with more countries.

Binding corporate rules

Among businesses that participated there was a perception that binding corporate rules were more appropriate for larger and corporate / professional businesses than for smaller businesses. For example, one participant from a smaller business felt that binding corporate rules were not relevant for their business, because they were not big enough.

There was a perception among some businesses that binding corporate rules required too much effort and were costly. Some businesses that were transferring personal and non-personal data also felt that binding corporate rules were only appropriate if personal data was transferred. They were generally unaware that binding corporate rules were only used to transfer personal data.

However, some businesses not using binding corporate rules felt that they could protect data and prevent it from being stolen.

4.7 Unavailability of international data transfer tools would impact some businesses

There tended to be low levels of awareness and knowledge about international data transfer tools among some businesses that participated, irrespective of business size. However, among the businesses that were aware of and used international data tools, there was acknowledgement that there would be a negative impact if they became unavailable.

There were several reasons why businesses felt that they would be impacted if international data tools became unavailable. Concern and worry that they were acting unlawfully, and the increased risk of non-compliance were two key reasons.

The perception that it would become harder to operate internationally due to the risk of legal issues or facing operational restrictions were additional reasons for this. This was because some businesses felt that it could potentially impact their business efficiency, reach, and ability to service international clients. For example, that they would be limited to operating within the UK and would have to resort to less efficient methods such as face-to-face meetings.

4.8 Businesses had low awareness and superficial understanding of adequacy decisions

Awareness and understanding of adequacy decisions was generally low among businesses that participated. Businesses with some awareness tended to have a superficial understanding.

Businesses’ trust in other countries’ data protection measures was driven by experience of doing business with them. Some participants felt that certain countries, such as the countries of the EU, had sufficient safeguards in place. For these participants this meant that the data of UK citizens would be held and stored securely as well as their rules being the same as the UK’s.

Some participants recognised adequacy decisions as being related to EU data protection laws and providing a level of protection under these laws.

4.9 Businesses generally felt that the UK’s adequacy decisions streamlined data transfers

There was generally little or no awareness of the UK’s new data bridge with the United States or the Republic of Korea among businesses that participated.

However, a few businesses were aware of, and impacted by, the UK’s new data bridge with the United States.

The few businesses that were aware of, and impacted by, the UK’s new data bridge with the United States felt that this streamlined data transfers, offered reassurance and was beneficial and efficient. Reasons for this included it being helpful as it increased speed and kept things simple, while also providing assurance and reducing diligence requirements. There was acknowledgment that there could be variation between the United States’ 50 states which needed to be factored in.

One large business reported that the UK’s new data bridge with the United States had reduced the amount of resource required for considering and assessing data transfer to the United States. This was because before this data bridge, the business had to fill out a long questionnaire about security protocols which took considerable time to complete.

Businesses previously unaware of adequacy decisions were favourable towards them, once informed. This was because they felt that these would simplify international data transfer and provide comfort, as other countries had similar standards to the UK’s. There was also acknowledgement that there would still need to be checks and balances in place to ensure accountability and transparency.

5 Businesses’ awareness of data localisation and views towards them

5.1 Awareness of data localisation was generally low, but businesses identified commercial advantages and disadvantages once prompted

Awareness of data localisation was generally low among businesses that participated. Businesses had often only thought about data localisation for the first time during the interview. They were presented with the following information about data localisation in the interview:

• “Data localisation is the practice of processing and storing data within a specific geographic location. The extent to which data that are generated in a jurisdiction for example by businesses, organisations, or individuals are subject to measures that restrict the use of those data outside that jurisdiction. One example of data localisation would be GDPR.”

A few businesses demonstrated a clear understanding of data localisation and its implications while others were not as familiar or unfamiliar with the concept.

Businesses identified commercial advantages and disadvantages of data localisation once prompted. Commercial advantages identified by businesses included:

• Enhanced security and data protection: many businesses saw data localisation as a way to increase data protection and security. By keeping data within local borders, they felt that the risk of data breaches could be minimised
• Compliance with local laws: for businesses operating in countries with strong data protection laws, data localisation enabled them to comply with these laws and avoid potential legal issues
• Local competitive advantage: some businesses saw potential for local competitive advantage if data localisation restricted the ability of overseas businesses to supply in the UK

As well as identifying commercial advantages, businesses identified commercial disadvantages of data localisations which included:

• Increased operational costs: some businesses reported that local data storage requirements increased their operational costs. This was relevant for businesses that had to set up multiple data centres in different locations to meet local data localisation regulation
• Limited international collaboration: some businesses felt that restrictions on data flow could limit international collaboration. This was a key issue for businesses operating globally
• Challenges due to different protocols: for businesses operating internationally, dealing with different data protocols in each country due to data localisation was seen as a major challenge
• Potential hindrance to business development: for some businesses, too strict limits on data transfer due to data localisation could potentially hinder their international operations and business development

5.2 Specific requirements for local data storage when doing business internationally was generally not a concern for businesses

Data localisation was an important factor in decision making for some businesses. This tended to be applicable to businesses that dealt with multiple markets and government entities that have data protection rules to protect data.

Businesses that participated generally did not encounter any specific requirements for local data storage.

However, one micro business in the professional, scientific and technical activities sector had encountered specific requirements for local data storage. This business operated through service companies in many countries and had a subsidiary in the United Arab Emirates that required energy monitoring and control data to be hosted locally.

Local United Arab Emirates data regulation meant that data hosted in the Republic of Ireland would need to be moved to the local territory. This was not a requirement across the other countries the business operated in. As a result of this, the business would incur a cost of complying with local United Arab Emirates data regulation.

Speaking more generally about data localisation, the participant reported that this could lead to higher fixed costs relating to data infrastructure, such as setting up arrangements with a data centre. Separate fixed costs for each territory would be likely to make the business unprofitable.

The participant reported that the business could manage with the United Arab Emirates having their own local data regulation as a one-off.

However, the participant felt that if more countries began to require their own local data centre, their business model would be affected considerably. This was because it would be the cheapest for the business to have data go through one data centre rather than separate data centres in countries with their own data localisation regulation.

5.3 Businesses generally showed limited understanding of data flow barriers irrespective of business size, but a few had been impacted by them

Businesses that participated generally had a limited awareness and understanding of data flow barriers. The term and concept of data flow barriers was not well recognised by businesses irrespective of business size.

Smaller (sole traders, micro and small) businesses tended to focus on compliance with GDPR and other data protection protocols, which focused on avoiding sharing of sensitive personal data.

Some smaller businesses associated GDPR with data flow barriers. This was because they spontaneously raised General Data Protection Regulation when data flow barriers were being discussed.

One business felt data flow barriers preventing the sharing of commercial data could represent a barrier to working internationally. This was on the basis that this would be counterproductive to the commercial aims of the business.

Some businesses reported minimal or no impact of data flow barriers. However, for other businesses, data flow barriers had led to changes in operations. For example, keeping UK data within the UK, or setting up data centres in specific countries to comply with data localisation laws.

For one large business, EU exit affected data flows and how data was handled across the new EU border. This caused reductions to the amount of data coming into and out of the UK from Europe. The same large business observed that the Chinese government’s use of data localisation over the past 5 to 8 years to promote domestic companies over multinationals had led to a slowdown in their business.

6 Conclusion

This research investigated the perspectives and experiences of UK businesses that had transferred data internationally. This was to get a better understanding of why and how businesses transfer data internationally.

The key conclusions are presented below:

• Importance of data sharing: businesses, irrespective of business size need to transfer data internationally to operate effectively
• Regulatory requirements: businesses did not mention regulatory requirements as a primary concern for international data transfer. They preferred methods such as contractual agreements and established online platforms which they considered to be safer when transferring data internationally
• Client-driven decisions: although there were other factors the choice of methods to transfer data internationally were client led and influenced by their preferences
• Awareness and knowledge: there was significant variation in awareness and knowledge of international data transfer tools among businesses that participated. Smaller (sole traders, micro and small) businesses generally had less awareness of international data transfer tools
• Dependence on contracts: the use of international data transfer tools was often driven by contractual obligations rather than proactive choices
• Preferred international data transfer tools: standard contractual clauses were the most preferred and used by businesses that participated. Data adequacy and data bridges followed in preference. Binding corporate rules were the least preferred
• Challenges without tools: some businesses, regardless of size, would face challenges if international data transfer tools were unavailable
• Limited understanding of the UK’s adequacy decisions: even among businesses aware of adequacy decisions, understanding was generally limited
• Data localisation awareness: businesses initially lacked awareness but recognised commercial advantages and disadvantages of data localisation after explanation
• International data storage: businesses generally did not struggle with international data storage requirements. There was limited understanding of data flow barriers, although some businesses were impacted by them

Annex 1: Sample and topic guide

Participant sample

The final composition of the research sample is outlined below.

Twenty-two qualitative in-depth interviews were conducted with UK businesses between February and April 2024. Interviews with businesses were conducted via Microsoft Teams or telephone and lasted between 45 to 60 minutes each.

Table 1 shows business sector of participating businesses:

Business sector	Interviews completed
C: Manufacturing	3
G: Wholesale and retail trade; repair of motor vehicles and motorcycles	2
I: Accommodation and food service activities	1
J: Information and communication	5
K: Financial and insurance activities	2
M: Professional, scientific and technical activities	6
N: Administrative and support service activities	2
P: Education	1

Table 2 shows business location participating businesses:

Business location	Interviews completed
England	17
Scotland	3
Wales	1
Northern Ireland	1

Table 3 shows business size of participating businesses:

Business size	Interviews completed
Zero – Sole trader	4
Micro (1 to 9 employees)	4
Small (10 to 49 employees)	5
Medium (50 to 249 employees)	4
Large (more than 250 employees)	5

Table 4 shows business turnover of participating businesses:

Business turnover	Interviews completed
£10,000 to 49,999	3
£50,000 to 99,999	1
£100,000 to 249,999	1
£250,000 to 499,999	1
£450,000 to 999,999	1
£1 million to £4,999,999	7
£5 million to £9,999,999	1
More than £10 million	5

Depth interview topic guide

Introduction 2 to 3 minutes

Introduce yourself and Ipsos: My name is MODERATOR TO ADD NAME and I am a researcher working for Ipsos, an independent research organisation.

Explain research: The Department for Science, Innovation and Technology (DSIT) has commissioned Ipsos to carry out this study which involves talking with UK businesses to get a better understanding of why and how they transfer data internationally. This topic was also covered in the 2023 UK Business Data Survey which you or someone in your organisation has responded to. This interview will provide an opportunity to discuss the issue in more detail.

The interview: The nature of the research is exploratory, and the discussion will be informal. There are no right or wrong answers.

Explain confidentiality: The contents of our discussion are completely confidential, and all findings are reported on anonymously. This means that no identifiable information will be shared with the Department for Science, Innovation and Technology or any other parties.

Explain payment for participation. You will receive £60 as either a shopping voucher or charity donation as a thank you for your time. (ONLY IF THEY ASK: Let participants know that it takes a maximum of 8 working days for them to receive the incentive.)

Explain voluntary participation: If you wish to end the discussion at any time, please let me know. Your participation in this research is voluntary.

Length of the interview: This discussion will last a maximum of 60 minutes.

Questions: Do you have any questions before we begin?

Consent to audio record: I would like to record our discussion as this helps with making notes and analysis? Recordings are used only for analysis purposes and are stored securely and deleted 12 months after the interview takes place.

MODERATOR TO TURN ON RECORDING

GDPR added consent (MODERATOR TO ASK ONCE RECORDER IS ON)

Ipsos’s legal basis for processing your data is your consent to take part in this research. Your participation is voluntary. You can withdraw your consent for your data to be used at any point before, during or after the interview and before data is anonymised at the end of June 2024.

Can I check that you are happy to proceed?

Business background 3 to 5 minutes

To start our discussion, I would like to spend a few minutes understanding your business in a bit more detail.

Firstly, please could you briefly describe your business?

• How long has the business been operating?
• What does the business do?
• How would you describe the size and structure of the business?

Could you briefly describe your role within the business?

• How long have you been working in this business?
• What are your responsibilities?

Understanding businesses and the data they share internationally 18 to 20 minutes

I would now like to discuss the international data sharing that your business undertakes.

OPEN BROAD QUESTION: Can you please tell me about the international data sharing which includes sending and receiving data that your business does?

• What types of data does your business transfer internationally?
• Why does your business transfer data internationally?

Gauge spontaneous responses first and then probe with any of the following:

• What benefits does your business gain from doing this? E.g.:
• Ease of doing work?
• Saving costs on outsourcing?
• Ability to expand sales or into other markets?
• Other benefits?

What are the other drivers of transferring data internationally? E.g.

• Regulatory purposes such as dealing with legal requests from other governments

• The business operating as a multinational

• And does this transfer involve the sending data between different businesses or entities?

GAUGE SPONTANEOUS RESPONSES FIRST AND THEN CLARIFY AS REQUIRED:

ICO transfer rules only apply for personal data transfers where the receiver is a separate controller or processor and legally distinct from the sender. The receiver can be a separate sole trader, partnership, company, public authority, or other organisation, and includes separate companies (parent and subsidiaries) in the same group. The transfer rules do not apply where the receiver is an employee of the sender, or the sender and receiver are part of the same legal entity, such as a company.

For the purposes of our conversation, I’d like to focus on instances where data is sent between different businesses.

For how long has your business been transferring data internationally?

To which countries does your business transfer data? MODERATOR TO MAKE NOTE OF THIS AND PROBE ON COUNTRIES LISTED IN COLUMN X IN THE RESPONDENT PROFILE.

How, if at all, has where you have transferred data to and from changed in the last five years?

Why did your business decide to begin transferring data internationally?

GAUGE SPONTANEOUS RESPONSES FIRST AND THEN PROBE WITH ANY OF THE FOLLOWING:

• Importing goods and or services
• Exporting goods and or services
• Acquisition from foreign firm
• Office abroad

MODERATOR OUTLINE AND TAILOR ACCORDING TO INTERVIEW MODE (Teams or Telephone): What I am showing to you now via share screen and read to you / read out are some types of data that can be shared internationally.

MODERATOR TO READ AND SHARE SCREEN (SLIDE 2) IF TEAMS OR READ ONLY IF TELEPHONE: Here are some types of data that can be shared internationally:

• Customers’ contact information such as email, names, addresses
• Financial / accounting data such as revenue, profit, accounts
• Sales or transaction data such as products sold
• Customer behaviour data such as buying habits, websites visited, links clicked etc.
• HR or payroll data such as employee names
• Stock and supply data such as current stock, orders placed, inventory
• Environmental monitoring data such as air quality, noise data
• Website traffic including cookies
• Social media data such as publicly shared data on social media profiles such as posts and check-ins
• Marketing data and research such as customer surveys or research on competitors
• Data on the economy such as financial news, central bank forecasts
• Scientific, analytical, and research & development data and results such as data from trials or research, AI training data etc
• Sensor data such as from machinery, CCTV
• Geolocation data or satellite monitoring and imagery such as mapping data, other than that covered already as addresses about customers, employees, suppliers, earth observation
• Medical records
• Biometric, socio-demographic such as faces / facial recognition, fingerprints
• Other sensitive data not already covered such as sexual orientation, union membership etc.
• Other

What, if any, type(s) of data from this list does your business share internationally?

Are you more likely to transfer a specific type of data internationally?

IF YES:

• Which type(s)?
• Why are you more likely to transfer this specific type(s) of data internationally? GAUGE SPONTANEOUS RESPONSES FIRST AND THEN PROBE WITH ANY OF THE FOLLOWING:
• Ease of transferring that type of data, in terms of regulations
• Business need

IF NO:

• Why not?

How important is transferring these different types of data internationally to your business?

Why is it important? GAUGE SPONTANEOUS RESPONSES FIRST AND THEN PROBE WITH:

• Business activities cannot occur without international data transfer
• Which of these types are most important to your business?

How is the data transferred?

GAUGE SPONTANEOUS RESPONSES FIRST AND THEN PROBE WITH:

• Over email,
• Over shared servers
• Off the shelf software like Egress, Google Drive, DropBox, WeTransfer, or Send Anywhere –This includes email encryption, secure file transfer, and data loss prevention solutions. The goal of this software is to protect sensitive information and ensure it is only accessed by the intended recipients. This software caters to businesses of all sizes and across various industries, helping them to protect their data, meet compliance standards, and securely collaborate with partners.

Why does your business choose to transfer data internationally like this?

What are the advantages and disadvantages of this method?

How much, if any, business resource is required when transferring data internationally?

Understanding businesses’ awareness of international transfer tools and data bridges18 to 20 minutes

MODERATORS TO READ AND FAMILIARISE THEMSELVES WITH THE FOLLOWING:

Data ‘adequacy’: A status granted by the UK to countries which provide high standards of protection for personal data.

‘Data bridges’: This is the governments preferred public terminology for ‘data adequacy’ and describes the decision to permit the flow of personal data from the UK to another country without the need for further safeguards.

Adequacy decisions allow UK businesses or organisations to send data to recognised countries without needing to put in place additional safeguards. Relevant tools to transfer data internationally:

Standard Contractual Clauses (SCCs): Clauses inserted into contracts which provide appropriate data protection safeguards under GDPR to personal data being sent internationally to a non-adequate country.

Binding Corporate Rules (BCRs): BCRs are designed to provide appropriate safeguards for making internal or intragroup restricted transfers, and are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures, or professional partnerships.

International Data Transfer Agreements (IDTAs) and Addendum to the EU SCCs replacing the current EU SCCs as the UK’s standard data protection clauses after 21 March 2024.

How, if at all, does your approach to transferring data internationally differ from how you transfer data within the UK?

• In what ways?
• What factors affect the approach you take? (destination country, data type, anything else?)
• What do you do to ensure that international data transfers are legally compliant?
• How, if at all, is data transfer reflected in your standard contracts?

What rules or legal frameworks are you aware of surrounding the way that data can be transferred internationally?

ALLOW ALL SPONTANEOUS RESPONSES FIRST AND THEN PROMPT AS FOLLOWS:

MODERATOR OUTLINE AND TAILOR ACCORDING TO INTERVIEW MODE (Teams or Telephone): What I am showing to you now via share screen and read to you / read out are a range of legal frameworks that allow legal transfer of data internationally.

MODERATOR TO READ AND SHARE SCREEN (SLIDE 3) IF TEAMS OR READ ONLY IF TELEPHONE: Here are a range of legal frameworks that allow legal transfer of data internationally:

Standard Contractual Clauses (SCCs): Clauses inserted into contracts which provide appropriate data protection safeguards under GDPR to personal data being sent internationally to a non-adequate country. 

Binding Corporate Rules (BCRs): BCRs are designed to provide appropriate safeguards for making internal or intragroup restricted transfers, and are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures, or professional partnerships.

Data ‘adequacy’: a status granted by the UK to countries which provide high standards of protection for personal data. 

‘Data bridges’: The governments preferred public terminology for ‘data adequacy’ and describes the decision to permit the flow of personal data from the UK to another country without the need for further safeguards.

What, if any, familiarity do you have with these?

FOR THOSE UNAWARE OF TOOLS / NOT USING THEM: What are your thoughts after hearing about these?

• Why do you say this?
• Is there anything that stood out? Why do you say this?
• Were you aware of these?

You mentioned earlier on that your business transfers data to MODERATOR TO INSERT COUNTRIES MENTIONED IN THE PREVIOUS SECTION. What, if any, frameworks do your business use when transferring data to these countries?

• Why does your business use these?
• How, if at all, does this differ according to country?
• Do you use multiple tools within the same country?
• What has your experience been of using them?
• How much business resource is required when using these?
• Is use of transfer tools outsourced? Why / why not?
• Does your business prefer to send data using tools such as standard contractual clauses and binding corporate rules or using adequacy decisions?

IF YES:

• Why does it have this preference?
• Do they meet your needs? Why / Why not?

IF NO:

• What are the main reasons they do not meet your needs? PROBE:
• Implementation costs
• Difficulty of implementation
• Other?

What, would you suggest to improve your ability to use these tools to meet your needs? Why?

What benefits, if any, are there of using these?

Why are these considered to be benefits?

What challenges, if any, are there when using these? * Why are these considered to be challenges? * What, if any, impact do these challenges have on the business? * How, if at all, do you overcome these challenges?

What would be the impact if these tools were not available to you? * Why is this?

If you do not make use of these tools, why is this?

MODERATOR TO READ: Data ‘adequacy’: a status granted by the UK to countries which provide high standards of protection for personal data. 

OPEN BROAD QUESTION: Can you please tell me if you are aware of any adequacy decisions and what you think they mean?

GAUGE SPONTANEOUS RESPONSES FIRST AND THEN PROBE WITH: EU adequacy decision.

Can you please tell me if you are aware of the UK’s new adequacy decisions for the United States or Republic of Korea and what you think they mean?

IF AWARE:

• What understanding, if any, do you have about the change in rules about how to share personal data with the United States and Republic of Korea?
• What understanding, if any, do you have of what the adequacy decisions / ‘data bridges’ mean for your business?
• What impact, if any, have adequacy decisions had on whether your business transfers data into those jurisdictions? GAUGE SPONTANEOUS RESPONSES FIRST AND THEN PROBE WITH:
• Potential plans to share data into those jurisdictions
• Opportunities to share data into those jurisdictions

To what extent, if any, have adequacy decisions changed the way in which your business operates?

GAUGE SPONTANEOUS RESPONSES FIRST AND THEN PROBE WITH:

• Decisions to use international data transfer tools or adequacy decisions / data bridges.
• Any changes in the amount of time or money spent on transferring personal data internationally.

Why has your business changed to this extent?

What, if any, impact has this had on your business?

What would have been the impact if data adequacy had not been put in place?

How does an adequacy decision impact your likelihood of transferring data with a country? For example, are you more or less likely to transfer data?

GAUGE SPONTANEOUS RESPONSES FIRST AND THEN PROBE WITH:

• Data security factors
• Business reason
• Why is this?

To what extent, if any, would an adequacy decision for a country you transfer data to make you more likely to stop using other international data transfer tools such as Standard Contractual Clauses?

Why is this?

What challenges, if any, are there with using adequacy decisions to transfer data internationally?

Why are these challenges?

What, if any impact do they have on your business?

Understanding businesses awareness of data localisation 8 to 10 minutes

MODERATORS TO READ AND FAMILIARISE THEMSELVES WITH THE FOLLOWING:

Data localisation: This is the practice of processing and storing data within a specific geographic location. The extent to which data that are generated in a jurisdiction for example by businesses, organisations, or individuals are subject to measures that restrict the use of those data outside that jurisdiction. This includes storage.

MODERATOR TO READ: Data localisation is the practice of processing and storing data within a specific geographic location. The extent to which data that are generated in a jurisdiction for example by businesses, organisations, or individuals are subject to measures that restrict the use of those data outside that jurisdiction. One example of data localisation would be GDPR.

What are your views on data localisation?

GAUGE SPONTANEOUS RESPONSES FIRST AND THEN PROBE WITH THE FOLLOWING WILL BE DEPENDENT ON WHETHER THEY DISCUSS DOMESTIC AND / OR FOREIGN LOCALISATION:

What do you think are the advantages and disadvantages of restricting the flow of data between geographical locations:

• For governments?
• For businesses?
• Specifically for your business sector?
• For individuals?

How does data localisation impact your business?

GAUGE SPONTANEOUS RESPONSES FIRST AND THEN PROBE:

• Impact of restrictions on cross-border data flows for your business?
• Impact of local data storage requirements for your business?
• Storing data using international servers?
• Storage costs of storing data?
• Inability to transfer personal data due to cross-border restrictions?
• Do you have any examples of instances where this has impacted your business?

Have you been discouraged from conducting business internationally because of data flow barriers?

• Why do you say this?
• Do you have any examples of this?

To what extent does your business understand data flow barriers?

Why do you say this?

On which aspects do you have more / less knowledge?

Can you provide any examples?

Wrap up 2 minutes

What is the key thing you would like to feed back to the Department for Science, Innovation and Technology about what we have discussed today?

Is there anything else you’d like to mention that we haven’t had a chance to discuss? The Department for Science, Innovation and Technology may want to do some follow-up research on this subject in the future. Would you be happy to be contacted by DSIT / Ipsos for future research?

INCENTIVE: Thank participant and remind them of confidentiality. Explain that they can get in touch if they have any further comments or questions about the research. Remind them of the £60 shopping voucher or charity donation thank you from Ipsos, as an appreciation for their time and contribution to the research. (ONLY IF THEY ASK: Let participants know that it takes a maximum of 8 working days for them to receive the incentive.)

Annex 2: Glossary and abbreviations

This report uses terminology and abbreviations that are explained below.

Term	Definition
Artificial Intelligence (AI)	Artificial intelligence (AI) refers to computer systems capable of performing complex tasks that historically only a human could do, such as reasoning, making decisions, or solving problems.
Binding Corporate Rules (BCRs)	Binding corporate rules are designed to provide appropriate safeguards for making internal or intragroup restricted transfers. They are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures, or professional partnerships.
Cloud	The cloud refers to servers that are accessed over the Internet, and the software and databases that run on those servers. Cloud servers are in data centres all over the world. By using cloud computing, users and businesses do not have to manage physical servers themselves or run software applications on their own machines.
Data ‘adequacy’	Data ‘adequacy’ is a status granted by the UK to countries which provide high standards of protection for personal data.
‘Data bridges’	‘Data bridges’ was the government’s preferred public terminology for ‘data adequacy’ at the time of the research. It describes the decision to permit the flow of personal data from the UK to another country without the need for further safeguards.
Data localisation	Data localisation is the practice of processing and storing data within a specific geographic location. The extent to which data that are generated in a jurisdiction for example by businesses, organisations, or individuals are subject to measures that restrict the use of those data outside that jurisdiction. One example of data localisation would be General Data Protection Regulation (GDPR).
Department for Science, Innovation and Technology (DSIT)	The Department for Science, Innovation and Technology (DSIT) is responsible for helping to encourage, develop and manage the UK’s scientific, research, and technological outputs. DSIT is also responsible for managing the necessary physical and digital infrastructure and regulation to support the British economy, UK public services, national security, and wider UK Government priorities.
European Union (EU)	The EU countries are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
Information Commissioner’s Office (ICO)	The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO is an executive non-departmental public body, sponsored by the Department for Science, Innovation and Technology.
Large business	A business with more than 250 employees.
Larger businesses	This refers to medium and large businesses with more than 49 employees.
Medium business	A business with 50 to 249 employees.
Micro business	A business with 1 to 9 employees.
Secure File Transfer Protocol (SFTP)	Secure File Transfer Protocol (SFTP) is a network protocol for securely accessing, transferring and managing large files and sensitive data.
Sole trader	A sole trader is a type of business. A sole trader involves one person who owns and operates the business.
Small business	A business with 10 to 49 employees.
Smaller businesses	This refers to sole traders, micro businesses, and small businesses with up to 49 employees.
Standard Contractual Clauses (SCCs)	Standard contractual clauses are clauses inserted into contracts which provide appropriate data protection safeguards under General Data Protection Regulation (GDPR) to personal data being sent internationally to a non-adequate country.
Two-factor authentication (2FA)	Two-factor authentication (2FA), or multi-factor authentication (MFA) is an electronic authentication method in which a user is granted access to a network or application only after successfully presenting two or more pieces of evidence to an authentication mechanism (for example, a password and a one-time passcode).
UK Business Data Survey (UKBDS)	The UK Business Data Survey (UKBDS) is an official statistics publication that has been produced to the standards set out in the Code of Practice for Statistics. It helps the government understand the nature and importance of data use in industry, as well as its potential and realised economic impacts.
UK General Data Protection Regulation (GDPR)	UK General Data Protection Regulation (GDPR) is a law that sets guidelines for the collection and processing of personal information from individuals. UK GDPR came into effect in May 2018. Participants referred to UK GDPR as ‘GDPR’ in interviews and so throughout this report, ‘GDPR’ is used to mean UK GDPR.
Virtual Private Network (VPN)	A Virtual Private Network (VPN) is an encrypted connection over the Internet from a device to a network. The encrypted connection helps ensure that sensitive data is safely transmitted. It prevents unauthorised people from listening in on the traffic and allows the user to conduct work remotely. Virtual Private Network technology is widely used in business environments.

Annex 3: Further information

The Department for Science, Innovation and Technology would like to thank the following people for their work in the development and carrying out of this research and for their work compiling this report:

• Amrita Sood, Ipsos
• Shahil Parmer, Ipsos

This work was carried out in according with the requirements of the international quality standard for Market Research, ISO 20252.