The ICO exists to empower you through information.

Third party arrangements

Share Download options

Pages

Format

Control measure: Arrangements are in place with joint controllers in the event of a personal data breach.

Risk: Without an understanding and agreement about the respective responsibilities for joint controllers in the event of a personal data breach, there is a risk that they will go undetected and as a result unreported. Without documented responsibilities in transparent arrangements between the controllers, there may be a breach of UK GDPR article 26.

Ways to meet our expectations:

  • Identify any controllers who you jointly process information with. 
  • Determine with joint controllers your respective responsibilities for handling personal data breaches.
  • Agree communication channels between the parties in the event of a personal data breach, including nominated points of contact.
  • Test breach communication channels and procedures with joint controllers.

Options to consider:

  • Agree secondary nominated points of contact in the event of absence and document the out of hours arrangements.
  • Keep the arrangements under review following any personal data breaches or near misses.

 

Control measure: Contracts are in place between the controller and any processors working on their behalf that reflect the processor's obligations in the event of a personal data breach.

Risk: Without an agreement outlining the processors obligations in the event of a personal data breach, there may be a breach of UK GDPR articles 28, 32-36. 

Ways to meet our expectations:

  • Put in place contractual agreements with processors that specify how to meet the requirements of article 33 of the UK GDPR and each parties' responsibilities if a personal data breach occurs.
  • Include any agreed arrangements for the processor to report a personal data breach on your behalf.
  • Agree and document timescales for processors to report suspected personal data breaches to you. 
  • Agree communication channels between parties in the event of a personal data breach and nominated points of contact.

Options to consider:

  • Agree secondary nominated points of contact in the event of absence and document the out of hours arrangements.
  • Keep contractual agreements under review and following any personal data breaches or near misses.