Third party arrangements
Control measure: Arrangements are in place with joint controllers in the event of a personal data breach.
Risk: Without an understanding and agreement about the respective responsibilities for joint controllers in the event of a personal data breach, there is a risk that they will go undetected and as a result unreported. Without documented responsibilities in transparent arrangements between the controllers, there may be a breach of UK GDPR article 26.
Ways to meet our expectations:
- Identify any controllers who you jointly process information with.
- Determine with joint controllers your respective responsibilities for handling personal data breaches.
- Agree communication channels between the parties in the event of a personal data breach, including nominated points of contact.
- Test breach communication channels and procedures with joint controllers.
Options to consider:
- Agree secondary nominated points of contact in the event of absence and document the out of hours arrangements.
- Keep the arrangements under review following any personal data breaches or near misses.
Control measure: Contracts are in place between the controller and any processors working on their behalf that reflect the processor's obligations in the event of a personal data breach.
Risk: Without an agreement outlining the processors obligations in the event of a personal data breach, there may be a breach of UK GDPR articles 28, 32-36.
Ways to meet our expectations:
- Put in place contractual agreements with processors that specify how to meet the requirements of article 33 of the UK GDPR and each parties' responsibilities if a personal data breach occurs.
- Include any agreed arrangements for the processor to report a personal data breach on your behalf.
- Agree and document timescales for processors to report suspected personal data breaches to you.
- Agree communication channels between parties in the event of a personal data breach and nominated points of contact.
Options to consider:
- Agree secondary nominated points of contact in the event of absence and document the out of hours arrangements.
- Keep contractual agreements under review and following any personal data breaches or near misses.