Table of Contents
The UK General Data Protection Regulation (UK GDPR) prescribes strict legal rules which apply when organisations share personal data. Where a data controller shares personal data with a data processor, a fundamental rule is to ensure the processor has appropriate safeguards to safeguard personal data. The due diligence exercise aims to determine whether the relevant processor has safeguards to protect personal data. This article will explore the concept of data processor due diligence and some key questions to ask as part of this process.
What Is the Relationship Between a Controller and a Processor?
If your organisation processes personal information, you will do so as either a data ‘controller’ or a data ‘processor’.
A data controller has most obligations under the UK GDPR, as a controller is an organisation that decides how and why personal data is processed. In contrast, a processor’s obligations are more limited. A processor is a separate organisation that processes personal data on the strict instructions of a data controller.
Controllers and processors need to follow strict legal rules when sharing personal data. In particular, the parties must enter into a mandatory agreement that sets out data processing terms. The agreement is vital to safeguard the personal data a controller shares with a processor.
It is also vital for data controllers to carry out due diligence on their data processors, as explored further below.
Why Is Due Diligence Important for Compliance?
Controllers need to carry out due diligence on any intended data processors. Due diligence allows the controller to guarantee whether the processor will implement appropriate technical and organisational measures to meet the UK GDPR requirements.
This factsheet sets out how your business can become GDPR compliant.
Let us explore a practical example:
Your business is a marketing firm that hires several staff members. You cannot support IT queries internally, so you seek to outsource to an IT supplier. The supplier will act as a data processor with limited access to your staff details. For example, they can call or email your staff to resolve their IT queries. As the supplier will access your staff data, you must ensure they will do so lawfully and by UK GDPR rules. For instance, what will happen if the supplier causes a data breach and your staff details are leaked? What security measures have the supplier put in place to prevent such risks? Can you trust them with your staff data? Due diligence will help you assess this.
If your business is a data controller, due diligence on your processor is vital to UK GDPR compliance. Due diligence will help you assess various legal and practical factors. For instance, you can gauge:
- whether the processors you engage comply with the UK GDPR;
- whether the processors have appropriate security measures to safeguard your company’s data; and
- whether allowing the processor access to your data will create risks. Due diligence is a crucial aspect of risk management.
By undertaking thorough due diligence, you can assess whether you should work with a third-party processor, depending on whether they meet your expectations around data protection responsibilities.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What Questions Should I Ask as Part of My Due Diligence?
Due diligence assesses how far a process will comply with the UK GDPR rules. As such, you should consider issues such as which types of security a processor has in place, how they will safeguard personal data, and how they will protect individuals’ rights.
Here are some of the critical questions to ask of a data processor as part of your due diligence:
- Does the processor maintain a record of processing activities to demonstrate its data processing activities? If so, how often is this reviewed and updated?
- How does the processor store personal data on behalf of a data controller? Are any third parties engaged in data storage?
- Which data security procedures does the processor maintain to keep all information processed on behalf of a data controller secure? Do they have any security accreditations?
- Does the processor have policies and procedures for detecting and dealing with data breaches and reporting them to the controller? Have they suffered from any data breaches?
- How is personal data destroyed at the end of the contractual relationship?
- Does the processor engage any subprocessors to carry out processing activities on its behalf? If so, where are the subprocessors and the data located? Does the processor have written agreements in place covering these relationships?
- If the processor transfers personal data outside the United Kingdom, what measures do you use to ensure compliance with the UK GDPR rules on international transfers?
Ultimately, the type of due diligence questions asked will depend on the relevant project, the nature and sensitivity of personal data the processor will process and the level of risk.
You should also review your due diligence from time to time when working with processors to ensure you continue to be satisfied with their UK GDPR compliance measures.
Key Takeaways
Controllers should conduct thorough due diligence when engaging third-party processors to process personal data on their behalf. This exercise can help demonstrate compliance with the UK GDPR rules and that you have investigated processors to check their compliance and security measures before sharing data with them.
If you need advice on data processor due diligence, LegalVision’s experienced data, privacy, and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers who can answer your questions and draft and review your documents. Call us today at 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.