What is a Data Processor Responsible for in the Context of GDPR?

Posted on by Samantha Harrison
Quick Guide Series GDPR
25
Nov

To understand what a data processor is responsible for under the General Data Protection Regulation (GDPR), it is first important to know what a data processor is. This article is part of our ‘Quick Guide Series’ which offers summaries and bullet point answers to common compliance questions.

Are You a Data Processor or Controller?

You need to be able to understand and describe the difference between a data controller and a data processor. Both functions have different requirements and obligations under the GDPR. Furthermore, the policies and controls you have in place need to comply with the relevant Articles and Recitals.

A data controller is the person, public authority, agency or body determining the purpose and means of the personal data processing. Occasionally, two or more controllers determine the processing purpose and means together. In this instance, they are referred to as ‘joint controllers’. However, this is only applicable where they are processing the same data for the same purpose(s).

“Controllers have a high degree of responsibility and are the main decision-makers”.

A data processor is the person, public authority, agency or body processing the personal data on behalf of the controller. Processors follow instructions provided by a controller and act on their behalf. Processors have less responsibility under the GDPR than a controller. However, they stil have some obligations under the Regulations.

“Processors do not collect personal data from individuals and only act on behalf of a controller”.

Dual Controlling and Processing

data protection breachA person or entity cannot be both a data controller and processor for the same data processing activity. However, it is possible to be both controller and processor for different processing activities.

For example, you are a controller of the employee data you collect and process. However, you are also a processor for data your processes on behalf of a client who is a data controller.

GDPR Principles Infograph Full

What is a Data Processor Responsible For?

  • Acting as a data processor means being governed by a contract or other legal act. Under such an agreement, a processor must: –
  • act on behalf of a controller and adhere to their instructions for processing.
  • assist the controller in ensuring adequate notification and communication in relation to personal data breaches and data protection impact assessments.
  • implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing.
  • upon request, provide the controller with all information necessary to demonstrate compliance with the GDPR.
GDPR Data Protection Policy Template

GDPR Data Protection Policy Template

£15.00 (ex vat)
Add to basket
Processor Agreement Template

GDPR Processor Agreement Template

£10.00 (ex vat)
Add to basket
Privacy Notice Templates

Privacy Notice Template

£10.00 (ex vat)
Add to basket
CCTV Policy Template

GDPR CCTV Policy Template

£10.00 (ex vat)
Add to basket
International Transfer Policy Template

International Transfer Policy Template

£15.00 (ex vat)
Add to basket
GDPR Data Protection Policy Pack

GDPR Policy Template Pack

£55.00 (ex vat)
Add to basket
GDPR Consent Office Poster

GDPR Consent Office Poster

£12.00 (ex vat)
Add to basket
GDPR Principles Office Poster

GDPR Principles Office Poster

£12.00 (ex vat)
Add to basket
Samantha Harrison

Samantha Harrison is a Director at Know Your Compliance Limited, joining the company in 2018 and bringing a wealth of business management and policy development experience with her. She has run and managed her own businesses for more than 30 years and has been pivotal in developing one of the UK's leading portfolios of GDPR policy templates and checklists. Her knowledge and understanding of regulatory compliance and risk management has been invaluable in the company's growth and development.