The Data Processor in the GDPR
From Article 4 of the GDPR:
Processor means a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller
Put simply, a Data Processor is any person or organisation that processes personal data on behalf of a Data Controller.
The scope for this definition is quite far reaching, and it’s important for companies to consider all aspects of their business when considering what data processors they already have in place.
Examples of Data Processors
Suppose you operate an online store selling framed photographs of pandas, called (obviously) Pandamonium. Now, Pandamonium itself is the Data Controller, and you may well have one or more employees recognised as the Data Controller within the organisation. Regardless, the company itself, as a legal entity, is the Data Controller.
The Data Processors you use could potentially include things like your online payment system, because they process the personal data (name, payment info etc) of your customers. However it’s never black and white. Take PayPal for example. Because they choose what data they need from your client in order to take a payment, they are actually acting as a Data Controller.
Your delivery service will be a Data Processor, dealing as they do with your customer’s name, address and purchasing habits.
Your web site’s host gets involved here too. If Pandamonium customers are invited to setup an account, or even checkout as a guest, the chances are your web host is also a Data Processor.
Your chosen web analytics program will also act as a Data Processor, capturing personal data even if it’s only in the form of IP Addresses.
Then there’s your email service. This includes both your basic email platform and any third party marketing services you use, for example Mailchimp – for managing the email marketing campaign you got your customer to give consent to during the purchase process.
Data Processors and Reporting Breaches
One subtle difference between Data Processors and Controllers is that in the event of a data breach, the responsibility of the Data Processor is to inform the Data Controller. The further responsibilities of reporting the matter to the relevant authorities and the Data Subject(s) lies with the Data Controller.
Data Processors and Liability
This is an area that is seeing a significant change under the GDPR.
Previously, under the Data Protection Act, only a Data Controller would be held to account for infringements. This is changing to make Processors much more accountable for their actions. It doesn’t absolve Controllers from problems caused by Processors, as the ultimate responsibility rests with the Controller. What it does mean is that Processors must be more transparent and cooperative at every level of data management.
Data Processors must also be careful not to step outside their agreed remit. If they were to begin to process the data they have access to for reasons other than those requested by and agreed with the Data Controller then they become a Data Controller in their own right, and have all the associated responsibilities for consent and justification.
Many of these will still be valid under the GDPR, or can be made valid with minimal effort. It’s worht noting though there are no ‘grandfather rights’ with the GDPR – arrangements that exist now and are legal under the Data Protection Act will still be held accountable to the GDPR.
It means that to ensure compliance you must examine every agreement you have in place and make sure it conforms not just to the DPA but also the GDPR.
These panda photos aren’t going to sell themselves.
The GDPR is a big deal. While we’re attempting to create a readable and accessible introduction to the GDPR, our comments here should not be considered legal advice. The best individual place for GDPR information in the UK is the ICO Website. You may also wish to obtain your own legal advice, which, again, this is not.