When the General Data Protection Regulation (GDPR) was first introduced, “data processor” was one of the key terms used throughout the legal text that got people scratching their heads.
To help businesses determine their GDPR obligations, the law defines three key roles: data processors, data controllers, and joint controllers.
According to the GDPR, a data processor refers to “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
If that definition still has you scratching your head, let’s unpack a few more of the terms used here.
“Processing” includes activities such as the collection, recording, organisation, structuring, storage, adaptation, retrieval, disclosure, dissemination, combination, restriction, erasure, or destruction of data.
And, as we explored in more depth in our previous post, a data controller is the person or organisation who controls the purpose of and means by which personal data is processed.
So, in a nutshell, a data processor is any third-party entity that processes someone’s personal data under the direction of the data controller.
To wrap your head around it all, here’s a few common examples of data processors and why they fit the GDPR’s definition of a processor:
- Google Analytics.
As an online business, you probably use Google Analytics alongside other marketing tech tools to analyse your customers’ personal data.While you, as the data controller, determine why and how their information is processed, these tools simply collect, analyse, and present the data for you.
- Accounting firms (or software like Xero).
While the business who hires employees is considered a data controller, any third party accounting service or software they use is considered a data processor as they store and utilise employee data such as their bank and contact details.
- Market research companies.
Market research companies are contracted to collect, analyse, and share data about research participants under the direction of their clients.
- Everyday people.
An individual person or group of people could be considered a data processor.Let’s say you’re volunteering for a charity organisation, and you’re going door-to-door with a sponsorship form to collect donations on their behalf.Typically, these forms will include fields for you to capture each donor’s name, residential address, email, or phone number, which are all types of personal data.Then, as you hand back the forms to the charity, they may choose to add that data to their email database or marketing lists for Facebook to send follow-up communications.
If you or your business is considered a data processor under the GDPR, there are a number of requirements and responsibilities you’ll need to comply with:
- Creating and agreeing to a contract with the data controller. This contract must explain the subject matter, duration, nature, and purpose of the processing; the categories of personal data being processed; the categories of data subjects whose data is being processed; and the rights and responsibilities of the data controller.
- Keep data safe and secure. You must implement sufficient security measures to ensure data isn’t lost or breached. In the event that a breach happens, you’ll need to report it “without undue delay” to the data controller.
- Keep records of all your processing activities. This is to demonstrate your compliance with the GDPR and protect your business should any legal issues arise.
- Do not sub-contract out any processing activities. This restriction is intended to minimise the risk of any personal data being misused or improperly handled by another third party.If you do choose to hire a sub-processor, however, you can only do so by notifying and getting the authorisation of the data controller via another written contract.
- In some cases, you may need to hire a Data Protection Officer (DPO).
This is typically reserved for large-scale organisations who need a dedicated person to devise and implement a compliance strategy. Learn more about the role of a DPO and when they’re required here.
Understanding whether you qualify as a data processor is one of the first step to achieving compliance. As with any privacy regulation, it’s important to talk to a qualified legal professional to help you interpret the GDPR laws as they apply to your situation.