UK GDPR is five years old at the time of writing this blog. But even after half a decade, some organisations might be unclear on the finer points of GDPR legislation.
Generally, data protection comes down to common sense. A trained workforce should be able to navigate the day-to-day implications of GDPR without becoming experts. But what if it’s not your workforce processing the data your company uses?
Whether you’re a third-party data processor in the UK or work with one, this guide will help walk you through the relevant GDPR legislation and your legal responsibilities.
What is Data Processing?
Data processing is the legal term for when personal data is used in any way. This includes doing any of the following with it:
- Collecting
- Storing
- Organising
- Copying
- Analysing
- Sharing
Who Are Third Party Data Processors?
It’s common practice for third parties to process data on behalf of other businesses. And this practice can muddy legal responsibilities. A lack of clarity can make it harder for both parties to understand and fulfil their responsibilities – or know who’s at fault in the event of a data breach.
To understand UK GDPR, you first need to know if your organisation counts as a data controller or a data processor.
The Information Commissioner’s Office (ICO), which enforces GDPR legislation, has a list of questions to help you figure out your organisation’s status.
In brief, a data controller is any organisation that decides how and why personal data is being collected.
A data processor is any organisation that handles data on behalf of a controller.
For example, a data controller might be an online retailer. It needs to use personal data such as card details for the purposes of selling goods. But it might contract another company to handle the transaction. This third party will collect and process the card details on behalf of the retailer, making it a data processor.
This is just one example of what a data processor might do. Other common roles include:
- Marketing activities
- Human resource management
- Deleting personal data
- Storing and securing personal data
It’s also possible that a data processor might contract out some of its responsibilities to another processor. This is known as using a ‘sub-processor’.
Is a Third-Party Data Processor Different from a Data Processor?
A third-party data processor is defined by UK GDPR as, “a natural or legal person or organisation which processes personal data on behalf of a data controller.”
Generally, data processors are third parties so for the purposes of this guide, we’ll be using the term ‘data processor’ to refer to a third-party data processor.
Does GDPR Legislation Apply to Third Party Data Processors in the UK?
Yes. Although there are different obligations for controllers and processors, all organisations that work with personal data are subject to UK GDPR legislation. Data processors have a direct obligation to:
- Protect any personal data they handle
- Have sufficient technical and organisational measures in place to minimise data risks
- Inform controllers of any data breaches as soon as possible
- Assist the controller with its duties regarding data breaches
- Follow the instructions given by the controller regarding the processing of data
- Tell the controller immediately if its instructions are unlawful
While data processors are obliged to follow instructions relating to data handling, they still manage their day-to-day operations.
If a processor either fails in its GDPR obligations, or acts outside the controller’s instructions, it can be liable to pay damages or be subject to fines.
What Do Data Controllers Need to Know When Using a Data Processor?
A data controller is always responsible for GDPR compliance and must demonstrate this compliance, even when using a third-party data processor. This obligation means you:
- Need to be sure any data processor working on your behalf is compliant
- Know who your data processors (and sub-processors) are
- Understand what data is being processed
- Know how well protected the data being processed is
It’s also necessary for both controllers and processors to establish a written contract whenever working together.
This helps keep both parties compliant and clearly establishes obligations and liabilities.
What Should a Contract Between a Data Controller and Processor Include?
GDPR legislation stipulates all contracts between controllers and processors cover the:
- Subject matter of the processing
- Duration of the processing
- Nature and purpose of the processing
- Type of personal data involved
- Categories of data
- Controller’s obligations and rights
There should also be terms or clauses relating to:
- Processing data only in accordance with the controller’s recorded instructions
- The duty of confidence
- What security measures are in place
- Use of sub-processors
- Data subjects’ rights
- Assisting the controller
- End-of-contract provisions
- Audits and inspections
Contracts that covers these same terms are also required between processors and sub-processors, provided the relationship has been authorised by the controller.
Where Can I Learn More About GDPR?
Any business can face penalties and fines for data breaches. Whether your organisation acts as a controller or processor, you need to understand your GDPR duties, obligations and liabilities. And without the right knowledge, your employees might find themselves in breach of GDPR legislation.
Human error is at the root of most data breaches investigated by the ICO. Because of this, the ICO recognises staff training as one of the best ways to demonstrate compliance.
You can give your staff the knowledge needed to handle personal data confidently with our GDPR training courses. Employees will learn the fundamentals of data protection and their role in ensuring confidentiality and compliance. The course is suitable for any organisation subject to GDPR legislation and appropriate for employees of all levels.
About the author(s)
