Third party arrangements
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Control measure: Arrangements are in place with joint controllers in the event of a personal data breach.
Risk: Without an understanding and agreement about the respective responsibilities for joint controllers in the event of a personal data breach, there is a risk that they will go undetected and as a result unreported. Without documented responsibilities in transparent arrangements between the controllers, there may be a breach of UK GDPR article 26.
Ways to meet our expectations:
- Identify any controllers who you jointly process information with.
- Determine with joint controllers your respective responsibilities for handling personal data breaches.
- Agree communication channels between the parties in the event of a personal data breach, including nominated points of contact.
- Test breach communication channels and procedures with joint controllers.
Options to consider:
- Agree secondary nominated points of contact in the event of absence and document the out of hours arrangements.
- Keep the arrangements under review following any personal data breaches or near misses.
Control measure: Contracts are in place between the controller and any processors working on their behalf that reflect the processor's obligations in the event of a personal data breach.
Risk: Without an agreement outlining the processors obligations in the event of a personal data breach, there may be a breach of UK GDPR articles 28, 32-36.
Ways to meet our expectations:
- Put in place contractual agreements with processors that specify how to meet the requirements of article 33 of the UK GDPR and each parties' responsibilities if a personal data breach occurs.
- Include any agreed arrangements for the processor to report a personal data breach on your behalf.
- Agree and document timescales for processors to report suspected personal data breaches to you.
- Agree communication channels between parties in the event of a personal data breach and nominated points of contact.
Options to consider:
- Agree secondary nominated points of contact in the event of absence and document the out of hours arrangements.
- Keep contractual agreements under review and following any personal data breaches or near misses.