When you talk about data protection all day, every day, it’s easy to assume that everyone else does the same. Some of the terms and names used when referring to the new GDPR are not as clearly defined as they could be. So, this week we are looking at the role of a ‘data processor’ and answering some of the frequently asked questions about this role and its relationship to a ‘data controller’.
What’s a data processor?
Imagine for a moment that you’re running a school. You have all sorts of personal data about individuals including the pupils, their parents and your staff. You’re in charge of collecting, storing, checking, manipulating and outputting all that personal data. You’re also in charge of ensuring that the personal data is properly protected. Having these responsibilities earns you the title of ‘data controller’.
All the things that you can do with the personal data are bundled up and called ‘processing’. This means that whatever you do with personal data, even just storing it is considered ‘processing’.
You can manage all this processing yourself or you can choose to ask another organisation to undertake some of this processing on your behalf. You provide the personal data and clear instructions of what you want the third party to do with the data. If the third party is processing your personal data based only on your instructions, then it earns the title of ‘data processor’. It can be helpful to think about data processors as subcontractors for jobs that you would otherwise do yourself.
Can I be a data controller and a data processor?
The simple answer is yes. In fact, it’s very likely that most data processors will be data controllers at the same time. The data processor is likely to have personal data about its own staff and customers and it will decide how that data is processed. This makes it a data controller.
If you’re a data controller it doesn’t follow that you’ll be a data processor. This only comes if you’re providing a service to third parties. It is worth noting if you’re running a Multi-Academy Trust, that where you provide processing of data for the academies you are not considered a “data processor”.
Are my staff data processors?
This is a question we’ve been asked quite a few times recently. Your staff are processing data based on your instructions. However, your own staff are not considered to be third parties in the legal sense, so any processing they do is part of the operation of the data controller.
If you use staff that you don’t have a direct contract of employment (or an equivalent agreement) with, for example agency staff who are paid by the agency, then the agency is acting as a data processor.
If a data processor has a data breach, what happens?
You’ve chosen to sub-contract some of your data processing to a third party, but it’s still your data that’s being processed and it’s your responsibility. If the data processor experiences a data breach, then the risk is to your data subjects.
So, if it does happen, the data processor tells you what occurred and gives you the support needed to manage the impacts of the breach on your data subjects. If you must report the breach to the ICO, the data processor must give you the information you need to make that report.
While you might have a commercial agreement in place with the data processor, as far as the ICO is concerned, you have a responsibility to ensure you choose a supplier who would have appropriate data protection measures in place. If those measures fail, then it’s your choice of supplier that’s at question.
If I run a system on my site, why can the supplier still be a data processor?
If the supplier of a piece of software can access the software in operation such that personal data is accessible, then they are classed a “data processor”. The most frequent way this happens is through the provision of support.
Whether an agent comes to your site or connects online, they can usually see the data in the system. This is more than enough for the support agent to discover personal data about your data subject which may get disclosed inappropriately.
If you get a support contract with this type of assistance you need to ensure you have the right terms in your agreement.
What do I need to do to protect my data subjects?
If you’ve decided to use a data processor then you need to:
- Have a written agreement that sets out how the data processor will deal with your data and that it will be compliant with the GDPR.
- Satisfy yourself that the data processor can deliver the safeguards that it is claiming to have.
- Include the existence of the data processor in your data map.
I hope this has given you some clarification on the difference between a data controller and a data processor, and the responsibilities each hold regarding the GDPR.
These a just a few of the questions about data processors and data controllers and their responsibilities under the GDPR. If you’d like us to take a look at another area of the regulation, let us know by getting in touch here.