Reaching full compliance can be tough… and there are 4 areas where it’s extra important to be prepared. One of them is to manage the relationship between a data controller and a data processor correctly. Read on to see why it’s so important!
The who’s who of data controllers and data processors
First of all, let’s take a look at who’s and who’s a data processor. A data controller is a natural or legal person, public authority, agency or other body which, alone or together with others, determines the purposes and means of the processing of personal data. The data controller is essentially the owner of the personal data. It collects data and determines how and why it will be processed. Data controllers often use data processors to assist them.
A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
To conclude: In the relationship between a data controller and a data processor, the controller sets the “why” and the “how” of the data processing. The processor carries out the “how”.
Two Relationship Goals
- Before you start your business relationship, evaluate the new vendor (data processor). Your organization needs routines for this. Use vendor approval checklists and DPA templates for new data processors. Or involve a a privacy professional who can sign off.
- Keep the processing activities of all data processors and sub data processors well documented and up to date. Review all data processor relationships, including how they process data and what sub data processors they involve. It’s a good idea with a system that let’s you to document necessary details, to involve the data processors in the work, to automate the regular reviews.
Privacy prenuptials – Why DPA’s are so important
A data processing agreement (DPA) is a contract between data controllers and data processors or data processors and subprocessors. They aim to make sure each entity in the partnership is operating according to GDPR or other applicable privacy laws to protect the interests of both parties. There should be data processing agreements (DPA’s) in place with all data processors.
3 DPA-related actions to take now
- Your organization needs to have routines to identify and document changes in data processors’ (or sub data processors’) activities.
- It’s important to regularly review all your data processor relationships. This includes how data is processed and what sub data processors are involved. Consider using a system that makes it easy to automate these reviews, and involve the data processors in the work.
- It’s also important to have routines to make sure data subjects are informed about any changes relating to data processors. Any change you consider or make when it comes to the relationship between a data controller and a data processor should be reflected in information to data subjects. As soon as you consider a change regarding a data processor, check if you need to inform the data subjects. Consider a system that automates changes to your privacy notice.
Read our other blog posts in the series:
- PRIVACY READINESS: FOUR IMPORTANT EVENTS TO BE PREPARED FOR
- DATA SUBJECTS RIGHTS MANAGEMENT: YOUR CUSTOMERS MATTER, AND SO DOES THEIR DATA
- HAVE YOUR REPORTS READY FOR INSPECTION
Download our guide Better Privacy Management Strategy: 4 areas where you want to stay ahead below!