April 22, 2021

Who does what in GDPR?

If you’ve read our blog on Who’s Who in GDPR?, you’ll know the difference between Data Subjects (people) and organisations which decide what happens to their data (Data Controllers) or who store or process their data (Data Processors and/or Sub Processors).

Now, we’re going to look at the responsibilities of organisations controlling, storing or processing data in more detail. This will help you:

  • Identify if your sub-contractors are putting your data at risk
  • Understand what your clients need from you

Myth-buster: the role of the Data Controller

The Data Controller is responsible for data management from cradle to grave. Unfortunately, there’s a common misconception that Data Controllers can outsource their data processing and make their GDPR compliance someone else’s responsibility. This simply isn’t true.

If your organisation is a Data Controller you can minimise the risk of action being taken against you by:

  • Paying the data protection fee (unless you are exempt)
  • Taking steps to secure your data (and protect your reputation)
  • Ensuring that any Data Processors comply with the GDPR

If you’re a Data Controller, you need to have a legal agreement (Data Processing Agreement) in place with each Data Processor, just as ABC Ltd has with Vic’s Vans (using the example from Who’s Who in GDPR?).

The GDPR has a long list of requirements for Data Processors (you may have heard of Articles 28-32) but, as an absolute minimum, this agreement should:

  • Outline the type of information that the Data Controller will pass to the Data Processor
  • Record how data will be processed


Ensuring your Data Processors and Sub Processors don’t put you at risk

Data Processors and Sub Processors aren’t off the hook as they also have a number of responsibilities. Those who don’t comply may also have action taken against them.

Your Data Processor or Sub Processor should:

  • Take steps to secure data
  • Keep records of data processing
  • Not share the information with anyone else without the permission of the Data Controller
  • Inform the Data Controller immediately if a leak is identified or suspected


Four steps Data Controllers can take to boost compliance

If you’re concerned about your compliance, like the founders of ABC Ltd, there are some simple steps you can take.

  1. Check that you’re registered with the ICO
  2. Make a list of the data you have and why you store it. Often clients are surprised by the volume of data they hold. Follow the ‘life’ of a piece of data from the moment you collect it until it’s deleted. If you’re not confident doing this, we can help you.
  3. Identify your Data Processors and make sure you have a legal agreement in place with each of them. Don’t forget, their compliance needs to equal or exceed yours. If you have any concerns, you have the right to audit any of them or ask specialists like us to do this for you. We can provide some sample agreements too, if needed.
  4. Look at your data inventory, identify where you store data and check that you’re not holding data that’s no longer required. You also need to ensure that your data is properly secured. You may find that a certification like IASME Governance can help you with this.

If this feels overwhelming, don’t worry. We can help you with all aspects of GDPR compliance.


Six ways Data Processors can put Data Controllers’ minds at ease

If, like Vic’s Vans, you’re processing data on behalf of a Data Controller, you may need to reassure a client that you will safeguard their data and their reputation.

Here are six ways to do this:

  • Be open about the steps you take to review and improve your GDPR compliance, such as internal reviews or reviews conducted by specialists (such as our GDPR Discovery Review)
  • Help staff at all levels – including the board and senior leaders – to understand the GDPR and their role in ensuring compliance
  • Ensure you have a trained Data Officer or someone who knows how to respond if you have a GDPR crisis (any external advisors should have a good understanding of your business so they can respond quickly)
  • Consider certification such as IASME Governance or ISO27701 (the Privacy Information Management Standard)
  • Prepare standard answers for supplier questionnaires to ensure you answer them fully and accurately (alternatively, create and share a FAQ)
  • Let potential clients know that they have the right to audit you and you’ll make it easy for them to do so


In summary

Compliance may not sound exciting, but it’s a sure-fire way to reduce your risks, protect your reputation and stand out from the competition.

If you’re not convinced that you meet the requirements of the GDPR, please contact us in confidence on 01926 800710 or email info@riskevolves.com.


See more content from Risk Evolves here.

Newsletter Sign Up

Newsletter Sign Up

Get regular insights direct to your inbox.