When it comes to data protection, compliance doesn’t stop at your company’s front door. Under the UK’s data protection law (UK GDPR) and ICO guidance, your responsibility extends to every third party that handles personal data on your behalf. Potential partners include marketing agencies, IT partners, payroll processors, HR advisors and others.
When it comes to data handling, a weak link in your supply chain can expose you to significant legal, financial, and reputational risks. The issue is reflected in the fact that the UK Information Commissioner’s Office (ICO) continues to take a strong line with those who ignore GDPR obligations for businesses, especially those that assume outsourcing means washing their hands of the issue.
How can you ensure your business remains GDPR-compliant when working with third parties? The latest guide from Jamieson Law will help you find the answers you need. It is based on the expertise of our team of professionals, who can provide support with GDPR compliance, as well as a broader range of commercial contract legal issues.
Why Third-Party GDPR Compliance Matters
It’s difficult to overestimate the importance of GDPR law to UK businesses. Failure to comply can be incredibly costly. ICO fines can reach 4% of your annual global turnover. There are numerous examples of instances where this has resulted in millions of pounds. Many organisations fall foul due to misunderstanding the nature of handing off data processing to other businesses. It is, however, easier to get a handle on once you realise that sharing data doesn’t shift your responsibility; it merely adds a further element to it. GDPR rules split data handlers into two categories. First, controllers determine how and why personal data is used. Then, processors use the data as part of their work. Therefore, if you send your data to a supplier or partner, you may no longer be the processor. However, you are definitely still the controller, and you remain responsible for any breaches.
Article 28 of the UK GDPR rules is explicit. Controllers sharing data with third parties must choose data processors that can guarantee compliance with data protection requirements. Failing to do so can lead to an ICO investigation and punishment, and the associated financial and reputational damage. In a situation where a company outsources its customer email campaigns, for example, to an external agency, both the controller (the company) and the processor (the agency) can still be held accountable. Protecting personal data, as mandated by law, is a collective effort.
Understanding Roles – Data Processors and Controllers
Before you can manage compliance, you need to know how delivering any task associated with personal data will be handled and by whom. Firstly, it’s essential to establish a lawful basis for sharing data. Swapping, giving away, or selling personal data without reasonable grounds is never appropriate and can leave you in hot regulatory water.
Assuming you have a justifiable reason for sharing data, controllers issue instructions about how it is to be used, and data processors then act on the controller’s instructions. As the name implies, they perform any necessary data processing to complete the work.
For example, an outsourced payroll provider will act as a processor if they update an employee’s contact details on behalf of their client, who, in this circumstance, is acting as the controller.
Things become complex when the data handling purposes and means are shared. For example, an HR consultancy and client might jointly design an onboarding process for new recruits, with both parties issuing data handling instructions. To comply with GDPR legislation, in this circumstance, both parties would have to be identified as data controllers, even if data ownership lies with just one partner. Overall, third-party GDPR compliance requires an open, honest, and transparent discussion of roles and responsibilities.
The Role of Data Processing Agreements (DPAs)
Given the situation we’ve described above, it won’t come as a surprise to know we recommend that Data Processing Agreements (DPA) form part of any contract with a third party. It’s essential to put everything in writing, beginning with clearly defining each organisation’s data handling role. Are they a controller, a joint controller, or a processor?
Article 24 of the GDPR rules outlines the responsibilities of the controller, and Article 28(3) of the GDPR rules specifies what a DPA between a controller and processor must cover.
Example information includes;
- The nature and purpose of data handling
- The types of personal data and categories of data subjects involved
- The duration of any data handling project
- Each party’s obligations and rights
A DPA should also outline, as a minimum, how the following 6 GDPR considerations should be handled by the parties involved.
- Data Collection & Transparency
- Data Security & Risk Management
- Subject Access Requests (SARS)
- Data Retention Policies
- Consent & Marketing Processes
- Data Protection Officers (DPO)
The latter requires a named individual to act as a data protection lead within an organisation. Not all businesses, particularly SMEs, need a data protection officer, but it is generally considered good practice to have one to ensure any concerns are handled appropriately.
However you manage the specifics of data handling, Article 26 refers to the need for a transparent agreement between controllers, joint controllers and processors. In all cases, the rights of the data subject need to be paramount. The legislation is designed to ensure that respecting and protecting personal data remains a clear objective for everyone involved.
Further protection is generally required if your data processing crosses international borders. Additional issues can often be covered by Standard Contractual Clauses (SCCs) between controllers and processors. ISO 27001 is a useful standard for information security management systems, enabling organisations to demonstrate compliance with data protection requirements worldwide. You may also need to consider country- or industry-specific rules. Health Insurance Portability and Accountability Act (HIPAA) rules mandate protection for health data in the United States, for example.
Having a signed DPA in place is not enough to keep customer data safe or avoid significant censure from the authorities if things go wrong. Co-controllers and processors that act without documented instructions are breaking GDPR rules. Processors, for example, must obtain prior written consent before modifying their operating procedures, including engaging a sub-processor of their own.
In all cases, a well-drafted DPA sets clear expectations around data protection compliance issues and reduces ambiguity in the event of a breach or dispute. It also provides a contractual basis for ongoing compliance management.
Due Diligence for Data Processors
GDPR compliance isn’t a one-time box to tick. A signed DPA is just the start of an ongoing process. Once data sharing begins, your organisation must continuously monitor and review activity to reduce the risk of breaches. It’s worth repeating that you remain the data controller, even if you outsource all your data processing. Liability rests with you. As a result, we suggest the following three due diligence activities be completed throughout any partnership.
- Regular audits – assess whether your data processors or joint controllers still meet your data protection standards as outlined in your DPA.
- Monitoring contract delivery – Ensure your partners aren’t undertaking unauthorised tasks, outsourcing to sub-processors without permission, or otherwise breaching the terms of your agreement.
- Contract renewals – Update DPAs and commercial terms regularly to reflect any regulatory or operational changes that may occur.
Businesses that take proactive due diligence steps can identify compliance issues early and address them before they escalate into larger, more costly problems.
What To Do If a Third Party Causes a Breach
Even with strong agreements and oversight, breaches can still happen, and swift, decisive action is critical in response. If a third party breaches GDPR rules involving your organisation’s data, the following steps will help limit the impact of any errors or wrongdoing.
- Notify the UK Information Commissioner’s Office (ICO) within 72 hours of the breach being identified. There are limited exceptions to this rule, such as potential harm to individuals, but the regulator is likely to take a dim view of any delay that can’t be justified.
- Assess the impact of the breach on the affected data subjects and determine whether they should be informed or not.
- Review your contracts and documentation to establish where data breach responsibilities lie. This is where a clear, transparent and robust DPA could make a significant difference to any outcome.
Articles 82 and 83 of the GDPR rules make it clear that controllers and processors may share liability for any breach. As a controller, the ICO will consider your response time, cooperation, and existing controls when assessing any penalties that may be due. It is important that you do not simply blame a subcontractor, as this implies you have not taken your responsibilities seriously.
Once the immediate crisis is over, data breaches naturally present an opportunity for data processors and controllers to review and strengthen their internal practices, as well as revise any contractual paperwork.
How Jamieson Law Helps With GDPR Compliance
At Jamieson Law, we specialise in helping our clients navigate the complexities of UK GDPR and data protection compliance.
Our experienced team provides tailored support, including drafting and reviewing Data Processing Agreements, as well as conducting thorough due diligence on potential suppliers and processors. We work closely with SMEs, scaling tech companies, and regulated organisations across the UK and beyond, helping them protect personal data, reduce compliance risk, and continue to grow with confidence. If you’re unsure whether your current third-party relationships meet GDPR requirements or want advice about new relationships, our team is here to help.
