A data processor is any person, authority, organisation or other body which processes data on behalf of a data controller. In essence, the role of a processor is crucial in data management.
A processor has many obligations in ensuring that the personal data being processed is afforded the same protections as if it were being processed by the controller, therefore the controller is required to ensure:
- A contract is in place between the parties
- Data is processed only under written instruction from the controller
- Technical and organisational security is in place
- The processor does not subcontract to another processor unless they have written approval from the controller
Each of these requirements mean that a data processor relationship must be entered into following due diligence and that this due diligence must be evidenced.
Examples:
- Your HR department processes personal data of candidates and employees. Some of these HR activities might be outsourced (e.g., payroll services). The company you outsource to then becomes a processor.
- Your marketing team processes personal data of potential and existing customers and employs an email marketing company that uses the data provided by marketing for campaigns. This email marketing company is therefore a processor.
Processors are Limited in what they can Process
They should:
- Perform only the processing defined by the data controller (or legal requirements)
- The processor needs to obtain the written consent of the data controller before it can appoint a sub-processor
- The same rules and constraints about personal data in the controller/processor contract must be duplicated in any contracts with sub-processors
Processors work for the Data Controller
There are circumstances where the processor must update the data controller of events:
- If the processor anticipates that the controller’s instructions and operations will conflict with the GDPR’s requirements or laws of the EU Member state in question, the processor is obliged to inform the controller immediately, without any undue delay
- Processors must notify any data breach to the data controller immediately, without delay, and must assist the controller in handling the breach
- Processors must notify the data controller of any data subjects rights request immediately, without delay, and must assist the controller in handling the breach.
A significant requirement is that processing relationships must have a contract in place. If the activities which the processor engages in are of a specific risk, then it is also good practice to undertake a security assessment to ensure that the processing risks are mitigated.
How can ProvePrivacy Help?
ProvePrivacy is designed to identify all data processor relationships as part of each RoPA activity. Once identified, ProvePrivacy allows users to undertake further assessments on the contract, international transfer risks and if required the security assessment.