How Should I Handle Controller Customer Requests as a Processor?

Answering questions about data privacy is vital for a data processor business. Data controllers are responsible for choosing processors who meet various legal requirements under the UK GDPR, and due diligence is a big part of that process. Handling these requests professionally can help you build trust with your controller clients and demonstrate your commitment to protecting personal data. This article explores some key ways to handle customer due diligence requests effectively. 

What Is the UK GDPR?

The UK General Data Protection Regulation (UK GDPR) is the critical law which governs the handling of personal data in the UK. Under its rules, organisations must comply with various principles around lawfulness, fairness, transparency, data minimisation, accuracy, and accountability when processing personal data. Both data controllers and processors must follow these principles to ensure lawful data processing.

What Is a Data Processor?

A data processor is a business or entity that processes personal data on behalf of a data controller. This processing can include storing, collecting, transferring, or analysing personal data. Processors do not decide how or why data is processed but must follow the instructions given by data controllers and comply with data protection laws.

Critical aspects of a processor’s role will include the following: 

• they will process personal data only based on the controller’s instructions;
• they must ensure appropriate security measures are in place to protect personal data;
• they must be ready to assist controllers when responding to data subject requests;
• they will need to maintain records of processing activities unless exceptions apply; and
• reporting data breaches to controllers promptly should be a top priority. 

What Is Data Processor Due Diligence?

Data processor due diligence involves a controller evaluating a processor’s ability to protect personal data and comply with the UK GDPR. 

This process helps controllers ensure processors meet the necessary standards to safeguard data subjects’ rights and manage any associated risks. For processors, due diligence offers a chance to show compliance practices and build credibility with potential clients. This typically occurs when a controller wants to work with a new processor. 

For instance, where your business will be delivering services to a controller customer and need to access their CRM systems including various personal information. The customer must understandably conduct multiple checks to ensure they are comfortable entrusting such data with your business. 

What Questions Should I Expect in a Due Diligence Request?

Controllers are likely to ask several questions to assess your data protection capabilities. 

Here are some typical questions you might come across from controllers: 

• Do you maintain records of processing activities? Controllers will want to see if you keep detailed records of how data is processed, including the purposes of processing and any third-party recipients. Be prepared to explain how often these records are reviewed and updated. Recordkeeping is always best practice;
• What security measures do you have in place? Expect questions about your technical and organisational security measures, such as encryption, access controls, and regular security audits. Controllers may also ask about any security certifications you hold, like ISO 27001;
• How do you handle data breaches? Controllers will be interested in your data breach response procedures, including how you identify, manage, and report incidents. You may also need to provide information on any data breaches you have experienced and how you handled them;
• How do you manage third-party relationships? If you use subprocessors, controllers will ask about your agreements and how you ensure their compliance with data protection laws. Be ready to discuss where sub-processors are located and how data is transferred between parties;
• How do you handle international data transfers? Controllers must understand how you manage international data transfers and the safeguards you use to comply with UK GDPR rules on cross-border data flows. This can be critical, and you should get legal advice if you are unsure about it;
• What is the method of destruction of personal data at the end of the contractual relationship? Be prepared to explain your procedures for securely deleting or returning personal data once your contract with the controller ends; and
• What data protection policies do you have, and which training do you deliver? Controllers will want to understand which policies they have in place to train their staff on safeguarding personal data. 

How Should You Handle Due Diligence Requests?

To handle due diligence requests effectively, you should prioritise preparation, transparency, and collaboration with data controllers, demonstrating compliance with UK GDPR rules. You should prioritise implementing robust security measures like encryption, access controls, regular security audits, and employee training on best practices to show your commitment to data protection. 

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Ensure that all necessary UK GDPR documentation, such as a comprehensive data protection policy and records of processing activities, is in order and regularly updated to reflect any changes in data processing activities or legal requirements. 

Additionally, you should foster a cooperative relationship with data controllers, as this demonstrates your commitment to transparency and data protection.

How Can Due Diligence Requests Benefit Your Business?

Handling due diligence requests is not just about compliance. It is also about showcasing your data protection capabilities and making a positive impression on potential clients. Demonstrating your dedication to data protection can help you stand out from competitors and win new business.

Key Takeaways

Handling controller customer due diligence requests as a processor is essential to demonstrating compliance with the UK GDPR. You can effectively manage these requests by implementing robust security measures, maintaining comprehensive documentation, anticipating questions, and cooperating with controllers. Remember that you can also use due diligence to show your data protection capabilities and win new business by convincing your controller customers that you are the right partner to handle their data safely. 

If you need help with UK GDPR compliance requests, LegalVision’s experienced data privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

1. What is a Data Processor?

A data processor is an entity or person that processes personal data on behalf of a data controller. Processors must follow the controller’s instructions and comply with data protection laws when processing data. 

2. What is Data Processor Due Diligence?

Data processor due diligence is how a data controller assesses a processor’s ability to comply with protection laws and safeguard the personal data they share with them. This involves evaluating the processor’s security measures, policies, and practices to ensure they align with the UK GDPR requirements.