Third party arrangements
-
The Data (Use and Access) Act 2026 got Royal Assent on 19 June 2025. All the provisions affecting data protection law and the Privacy and Electronic Regulations Communications are now in force. The Department for Science and Innovation (DSIT) has set out the commencement plans. You can find more details on the Gov.uk website.
Control measure: Arrangements are in place with joint controllers in the event of a personal data breach.
Risk: Without an understanding and agreement about the respective responsibilities for joint controllers in the event of a personal data breach, there is a risk that they will go undetected and as a result unreported. Without documented responsibilities in transparent arrangements between the controllers, there may be a breach of UK GDPR article 26.
Ways to meet our expectations:
- Identify any controllers who you jointly process information with.
- Determine with joint controllers your respective responsibilities for handling personal data breaches.
- Agree communication channels between the parties in the event of a personal data breach, including nominated points of contact.
- Test breach communication channels and procedures with joint controllers.
Options to consider:
- Agree secondary nominated points of contact in the event of absence and document the out of hours arrangements.
- Keep the arrangements under review following any personal data breaches or near misses.
Control measure: Contracts are in place between the controller and any processors working on their behalf that reflect the processor's obligations in the event of a personal data breach.
Risk: Without an agreement outlining the processors obligations in the event of a personal data breach, there may be a breach of UK GDPR articles 28, 32-36.
Ways to meet our expectations:
- Put in place contractual agreements with processors that specify how to meet the requirements of article 33 of the UK GDPR and each parties' responsibilities if a personal data breach occurs.
- Include any agreed arrangements for the processor to report a personal data breach on your behalf.
- Agree and document timescales for processors to report suspected personal data breaches to you.
- Agree communication channels between parties in the event of a personal data breach and nominated points of contact.
Options to consider:
- Agree secondary nominated points of contact in the event of absence and document the out of hours arrangements.
- Keep contractual agreements under review and following any personal data breaches or near misses.