How to structure compliant data sharing across insurer, broker, and MGA relationships — covering controller vs processor roles, contractual requirements, and practical implementation.
The insurance distribution chain involves multiple parties sharing personal data at every stage of the policy lifecycle. A single policyholder record may flow between the retail broker, wholesale broker, MGA, insurer, reinsurer, claims administrator, loss adjuster, and various outsourced service providers. Each data flow creates a potential compliance gap if the controller-processor relationship is not correctly identified and documented.
The ICO has repeatedly highlighted inadequate data sharing arrangements as a common failing in the financial services sector. In the ICO Data Sharing Code of Practice (in force since 2021; currently under review), the regulator emphasised that organisations must have a clear legal basis for every data share, must document the controller-processor status of each party, and must put appropriate contractual safeguards in place before any personal data is shared.
Insurance firms face particular difficulty because the same party may act as controller for some processing activities and processor for others. A broker, for example, is typically a controller for its own advisory activities but may act as a processor when handling data on behalf of an insurer under a delegated authority arrangement. Getting these relationships wrong can result in inadequate contractual protections and unclear accountability when things go wrong.
Effective data sharing governance starts with accurately mapping every data flow and correctly categorising each party as controller, joint controller, or processor for each specific processing activity. This categorisation determines which contractual framework applies: data sharing agreements for controller-to-controller transfers, or Article 28 data processing agreements for controller-to-processor arrangements.
For the insurance sector, a pragmatic approach recognises that many relationships involve elements of both. A wholesale broker placing business in the London Market may be a controller for its broking activities but a processor for specific delegated functions. Your agreements need to be sufficiently granular to address this dual status.
Technology solutions that enforce data sharing controls — restricting data access to authorised parties, logging all data transfers, and maintaining audit trails of what data was shared, with whom, and for what purpose — provide the operational foundation for contractual compliance and demonstrate accountability to the ICO.
Follow these steps to map, document, and control data sharing across your insurance relationships.
Create a comprehensive data flow map covering every party with whom you share personal data. For each flow, document: what categories of personal data are shared, the purpose of the sharing, the direction of the flow, the volume and frequency of transfers, and the technical mechanism used (API, portal, email, physical media). Include both routine and ad-hoc data sharing.
For each data sharing relationship, apply the ICO guidance to determine whether each party is a controller, joint controller, or processor. The key question is: who determines the purposes and means of processing? In insurance, brokers typically control their advisory processing, insurers control underwriting and claims decisions, and outsourced service providers are usually processors acting on controller instructions.
Where two controllers share data (e.g., broker to insurer for placement purposes), implement a data sharing agreement that documents: the lawful basis for the sharing, the categories of data subjects and personal data, the purposes for which each party will process the data, each party responsibilities for data subject rights, security requirements, and breach notification procedures.
For every processor relationship, execute a compliant Article 28 agreement covering all mandatory provisions: subject matter and duration of processing, nature and purpose, types of personal data and categories of data subjects, controller obligations and rights, processor obligations including confidentiality, security measures, sub-processing, data subject rights assistance, breach notification, audit rights, and data return or deletion at contract end.
Insurance processors frequently engage sub-processors — a claims administrator may use external medical records retrieval services, or an MGA may outsource certain functions to TPAs. Under Article 28(2), processors must obtain prior written authorisation before engaging sub-processors and impose the same data protection obligations through a sub-processing agreement. Establish a sub-processor approval process and maintain a register of all approved sub-processors.
Where parties jointly determine the purposes and means of processing — which can occur in co-insurance arrangements, consortium underwriting, or joint venture operations — implement Article 26 joint controller arrangements. These must define each party respective responsibilities for data subject rights, privacy notice obligations, and the point of contact for data subjects.
Deploy technical measures to enforce your contractual arrangements. This includes secure data transfer mechanisms (encrypted file transfer, secure APIs, access-controlled portals), role-based access controls that limit each party to only the data they need, and comprehensive logging of all data access and transfers for audit purposes.
Establish ongoing monitoring of your data sharing relationships. Conduct annual reviews of all data processing agreements, audit processor compliance with contractual obligations, verify that data flows remain within the scope of your agreements, and update arrangements when business relationships or processing activities change.
Develop standardised data processing agreement and data sharing agreement templates for your most common relationship types. This ensures consistency, reduces negotiation time, and makes it easier to monitor compliance across multiple third-party relationships.
Before entering into a new data sharing arrangement, conduct due diligence on the third party data protection practices. Review their privacy policies, security certifications, breach history, and ICO enforcement record. For high-risk sharing arrangements, conduct an on-site or virtual data protection assessment.
Keep a central register of all third parties with whom you share personal data, documenting the controller-processor status, agreement type, review dates, and risk rating for each relationship. This register should be owned by your DPO or data protection lead and reviewed at least quarterly.
Every data sharing arrangement should have clear provisions for what happens to personal data when the relationship ends. Specify whether data must be returned, deleted, or both, define timescales for completion, and require written confirmation of deletion. Test these exit provisions before you need them.
If any data sharing involves transfers outside the UK — including to group companies, offshore service centres, or cloud providers with non-UK data centres — ensure you have appropriate transfer mechanisms in place such as UK adequacy decisions, International Data Transfer Agreements, or Binding Corporate Rules.
Data protection terms should be negotiated alongside commercial terms, not bolted on afterwards. Involve your legal and data protection teams early in commercial negotiations so that data sharing requirements are built into the relationship from the outset.
Every data sharing arrangement documented with data types, purposes, and transfer mechanisms.
Factual assessment of status completed and documented, not just contractual labels.
Compliant data processing agreements in place covering all mandatory Article 28 provisions.
Agreements documenting lawful basis, purposes, responsibilities, and security requirements.
All sub-processors documented with prior written authorisation and back-to-back agreements.
Encrypted transfers, access controls, and comprehensive transfer logging in place.
Calendar of review dates with named owners for each third-party relationship.
Try these related tools — no sign-up required.
A comprehensive guide to meeting your data handling responsibilities under the UK GDPR, tailored specifically for insurers, brokers, and MGAs.
data protectionA practical guide to the DPIA process for insurance firms, covering when assessments are required, how to conduct them, and when to consult the ICO.
fca complianceA practical guide to preparing for FCA supervisory visits, skilled person reviews, and internal compliance audits — with checklists, common findings, and response strategies.
SwiftCase enforces data sharing controls with role-based access, encrypted transfers, and complete audit logging — giving you confidence that every third-party data flow is compliant and documented.
