The data processor only processes identifiable personal data on behalf of the data controller. The data processor is usually a third party that is external to the company.
In a contract or another legal act, the duties of the processor towards the controller must be specified, such as letting data controllers know what happens with personal data once a private contract is terminated.
Data processors include machines that perform operations on data, such as calculators or computers, and now cloud service providers can be labelled as data processors.
A third-party data processor doesn’t own or control the data they process. The data processor can’t change the purpose of the data or how it’s used.
Data processors carry out various data processing tasks for a business, such as storing data, retrieving data, running the payroll, marketing activities, or providing security for data.
Processing defines any operation or set of operations performed on personal data or sets of individual private data, whether by automated means or not, such as gathering, recording, organisation, structuring, storage, adaptation or alteration, consultation, use, disclosure by transmission, dissemination.
In the General Data Protection Regulation (GDPR), the controller and the data processor have similar responsibilities, and under the GDPR are also adhering to similar principles. Compared with the predecessor of GDPR, there is not that much change regarding what a data processor is.
Data processors need to assist controllers in certain circumstances, for example, in a potential personal data breach notification or considering a Data Protection Impact Assessment (DPIA).
The controller of your organisation’s HR department has methods to process the personal data of applicants and employees that need to be protected. It’s possible that some of the HR data processing data activities could be done by a third party. A processor is a company that you will be outsourcing to.
Your marketing team processes personal data of potential customers and existing customers. The latter are processors when it works with an email marketing company or agency that uses these data for campaigns.
When you want a potential customer to dial into a specific number in the scope of a campaign on TV, and so on, you may have outsourced the inbound contact centre activities of your organisation or used a call centre.
The data subjects are the people who call in, and the contact centre becomes the processor.
The processor never owns the personal data. The controller doesn’t own the personal data of his customers, prospects, employees, or anyone else. The natural person owns the personal data.
If a processor uses a sub-processor to help assist the process of personal data for a controller, your data processor needs to have a written contract with that sub-processor. A sub-processor usually is another organisation.
I certainly would recommend ISMS.online, it makes setting up and managing your ISMS as easy as it can get.
For example, there are a lot of employees at the brewery. The company signs a contract with a payroll company to pay wages.
When an employee has a pay rise or leaves, the brewery tells the payroll company when the wages should or shouldn’t be paid.
The brewery will be the data controller, and the payroll company will be the data processor.
The General Data Protection Regulation has outlined the different roles and responsibilities expected of a data controller or a data processor.
You can be confident that you’ve accomplished everything that needs to be done on your part by making sure you adhere to the law.
Processors have less independence over the data they process, but they do have legal responsibilities under the UK GDPR law and are subject to regulation by the authorities.
If you are a processor, you have some responsibilities and obligations, such as:
You have to keep records and maintain and appoint a data protection officer to comply with certain GDPR accountability obligations.
The UK’s prohibition on transferring personal data to other people aligns with the EU’s prohibition on transferring personal data to other people. You have to ensure that any transfer outside the UK is approved by the controller and complies with the UK GDPR’s transfer provisions.
You are obliged to help the authorities perform their duties by cooperating with them, such as the Information Commissioner’s Office (ICO).
Data Controllers need to make sure that they work with Data Processors who offer guarantees regarding their capability to process personal data and comply in line with the GDPR and protection of the rights of the data subject.
UK GDPR applies to data processing carried out by organisations in the UK. It applies to organisations outside of the UK that offer goods or services to individuals in the UK.
Under GDPR, certain activities are not subject to data protection law, including processing for national security purposes, processing handled by individuals purely for personal/household activities and processing covered by the Law Enforcement Directive.
The Brexit transition period ended in December 2020. UK organisations that process personal data have to comply with:
There are minimal differences between the UK GDPR and the EU equivalent. The EU’s structure has been lifted by the UK and put in place in the country’s law.
A tailored hands-on session based on your needs and goals
Processors have fewer obligations but must be careful to only process personal data according to the controller’s instructions.
The Data Protection Officer, who the company may have designated, is responsible for overseeing how personal data is processed and to notify and advise employees who process personal data.
The DPO also communicates and cooperates with the Data Protection Authority (DPA).
There is a requirement for your company to appoint a DPO when:
The DPO may be a member of your organisation or may be contracted based on a service contract.
A data processor is a natural person, agency, public authority, or any other body that holds personal data on behalf of a controller.
Your staff is processing the data according to your instructions. Your team are not considered to be third parties in the legal sense, and therefore any processing they do is part of the action of a data controller.
If you use staff, you don’t have a direct contract of employment with, for example, agency staff who the agency pays. The agency acts as a data processor.
The following list explains the typical tasks of a data processor:
Your marketing team collects personal data of potential and existing customers. When your organisation works with an email marketing company or agency that uses this data, the latter are processors.
ISMS.online makes setting up and managing your ISMS as easy as it can get.
Article 5 of the GDPR principles clearly outlines what a data subject would expect when processing their personal data.
Personally identifiable data is any information that can be used to identify an individual. This includes names, addresses, phone numbers, credit card details and the like.
What identifies an individual could be as straightforward as a name or a number, or it could include other factors such as an internet protocol address or a cookie identifier.
If you can identify an individual directly from the information you are processing, that information may be personal data.
You need to think about whether the individual is still identifiable if you cannot directly identify them. All of the resources reasonably likely to be used to identify that individual should be considered, along with the information you are processing.
Accounting for a variety of factors, including content of the data, the purpose or purposes for that you are processing it, and the likely impact of that processing on the individual is what you need to consider when considering whether information “relates” to an individual.
It’s possible that the same information is personally identifiable for one controller’s purposes but is not personally identifiable for the purposes of another controller.
Information that has been removed or replaced to conceal the data is still personal data for the purposes of UK GDPR.
Information that is truly anonymous is not covered by the UK’s General Data Protection Regulation.
Information that seems to relate to a specific individual is still personal data, as it relates to that individual, even if it is not accurate.
Making sure your business is GDPR compliant is crucial. An excellent way to start this is by undertaking an information audit and/or data-mapping exercise to ensure you know what personal data your organisation holds and where.
The company is subject to fines if they do not maintain records of processing activities or provide a complete index to authorities. This is according to Article 83.4.a of the GDPR regulation.
Download your free guide
to streamlining your Infosec