The majority of organisations put most of their data protection effort into what happens within their own walls. They produce policies, train staff, possibly appoint a data protection officer, and then they share personal data with a range of suppliers, processors, and partners without ever properly examining how those data sharing relationships actually work.
That inherent weakness between internal governance and external data sharing reality is exactly where the regulators are now focusing. In March 2025, the ICO issued its first-ever fine against a data processor, Advanced Computer Software Group, £3.07 million for security failures that exposed approximately 80,000 people's personal data. These were sensitive health records held on behalf of the NHS, patient data, GP registrations, medical histories. Seven months later, the ICO fined Capita £14 million after a ransomware attack that affected 6.6 million individuals across 325 pension scheme clients, penalising both the controller and the processor in the same action.
That space between an organisation's internal data governance structure and the use of external processing resources is where data protection most often fails. The UK Business Data Survey 2024 found that only 9% of UK businesses reported transferring personal data internationally, a very interesting statistic when you consider that against near universal use of cloud email, SaaS platforms, and global analytics tools. The dramatic contrasts in those two statistics tell us what's really happening. It reflects an endemic low awareness of when an international data transfer is even happening within an organisation.
Before anything else: who is responsible for what?
The most fundamental question in any data sharing arrangement is whether each organisation is acting as a controller or a processor. So many organisations get this wrong, more often than they'd like to admit.
A controller decides why personal data is being processed and how. A processor handles personal data on the controller's instructions. This distinction is functional, not contractual, what an organisation actually does with the data determines its role, regardless of what the contract may or may not state. The ICO has been explicit about this: if a supplier makes its own decisions about how to use personal data, calling it a "processor" in a contract doesn't make it one.
The obligations are different. Controllers carry the primary accountability for how personal data is used. Processors have direct obligations around security and must act only on documented instructions. When the roles are mislabelled, which the ICO highlights as one of the most common data sharing failures, the wrong contracts were put in place, thus, the wrong oversight happens, and there's no definitive picture of who is actually responsible.
In practice, the mislabelling happens on a regular basis. Recruitment agencies who are clearly making their own decisions about candidate data get labelled as processors. Managed service providers running entire IT environments are contracted as if they're following instructions rather than exercising crucial independent judgment. SaaS platforms sit in a grey area that most contracts don't even attempt to address properly. Before examining anything else about your data sharing arrangements, check whether you've correctly identified the role each organisation in your data flow actually plays.
Having the right contract is not the same as managing the risk
UK GDPR Article 28 sets out mandatory requirements for contracts between controllers and processors. These include documented processing instructions, confidentiality obligations, security measures, sub-processor controls, assistance with data subject rights, and deletion or return of data when the contract ends. There is no flexibility of interpretation here, if you use a processor, these provisions must exist within the contract.
But having the right wording in a contract is just the start of the journey, not the end.
The Vodafone Germany case makes the point starkly. In June 2025, the German regulator imposed fines totalling €45 million on Vodafone and its processor. The contracts had been drawn up and were in place. The problem was that nobody was actually monitoring or verifying whether the processor was meeting its contractual obligations. The contracts existed; the supervision did not. The Advanced and Capita fines tell the same story, security failures happening at the processor level, in organisations that the controllers were supposed to be monitoring.
Article 28 requires controllers to use processors that provide 'sufficient guarantees.' That isn't a just one time assessment at the point of signing. It means ongoing monitoring and supervision, exercising audit rights, reviewing security standards, maintaining awareness of sub-processor chains, and revisiting contracts when processing activities are revised. Many organisations treat the contract signing as the 'job done' stage. In reality, it's the starting point for an ongoing supervisory activity.
The international transfers you probably haven't identified
That 'only 9%' of personal data transferring internationally figure from the UK Business Data Survey deserves a closer look.
Almost every UK organisation uses cloud-hosted email, SaaS platforms for HR or accounting, customer relationship management tools, cloud storage, or analytics services. Many of these services are provided by international corporates which by default involves data being processed outside the UK, and each one may constitute a restricted international transfer under UK GDPR. The ICO's January 2026 guidance confirmed what practitioners already knew: remote access to personal data from outside the UK by a separate legal entity counts as a restricted transfer. If your IT support provider accesses your systems from overseas, that's a data transfer. If your SaaS platform processes data through servers in the United States, that's a data transfer.
The Data Use and Access Act 2025 – the DUAA – changed the standard for assessing these transfers. The old test, inherited from the Schrems II case, asked whether the destination country offered protection 'essentially equivalent' to UK standards. The new test asks whether protection is 'not materially lower.' Transfer Risk Assessments, formal assessments of whether personal data will be adequately protected in the destination country, are now a statutory requirement when relying on safeguards like standard contractual clauses.
The UK currently recognises adequacy decisions, a formal finding that another country's data protection standards are sufficient, for the EEA, plus a specific list including Japan, South Korea, and Switzerland. The UK-US Data Bridge covers certain US organisations that have self-certified under the EU-US Data Privacy Framework and opted into the UK Extension. But adequacy doesn't cover every transfer, and it doesn't neglect the need to understand exactly where your data actually goes.
Where the paperwork stops and the governance starts
Data sharing governance starts with understanding your own arrangements. Map your data flows, which organisations receive personal data from you, under what basis, and in what role. Review your processor contracts against the Article 28 requirements, not as a box-ticking exercise but as a genuine check on whether the contract reflects how data actually moves. Identify your international transfers, including the ones hidden inside your SaaS subscriptions and cloud services.
The scale of this work is proportionate to the scale of your organisation. A 20 person business with three key suppliers faces a different practical task from a 20,000 person organisation with hundreds of processor relationships. But the legal obligations are the same, and the starting point is identical: understand where your data goes, who handles it, and whether the documented arrangements that are in place actually match day to day reality.
The DUAA 2025 preserved every element of this accountability architecture. Article 28 processor contract requirements, DPO obligations, Records of Processing Activities, Data Protection Impact Assessments, all unchanged. There isn't going to be any forthcoming legislative simplification for organisations with inadequate data sharing arrangements.
And then there are the everyday risks that no contract addresses. The ICO's 2024/25 annual report found that data emailed to the wrong recipient was the single biggest cause of reported breaches. Not the sophisticated cyber attacks that make the headlines. Not processor failures. Someone simply types the wrong name into an email field. Data sharing risk extends to every email attachment, every shared drive link, every file transfer someone sends without thinking about the possible consequences.
The gap worth closing
A data sharing review is one of the most practical things any organisation can do. Start from the beginning, mapping each data flow, check whether what's on paper validates with what's actually happening in practice. This isn't a project that requires significant investment in new systems or technologies. It requires someone diligently asking the questions that should have been asked when the supplier was first appointed, and being willing and able to act on those answers.
