Data Processor Diligence

If you are going to outsource aspects of data processing to third parties you not only have primary responsibility for your own compliance but also for ensuring the compliance of your Processors.

This means that, regardless of the terms of the contract with a Processor, the Controller may be subject to any of the corrective measures and sanctions set out in the GDPR. These include orders to bring processing into compliance, claims for compensation from a data subject and administrative fines.

There is also a separate requirement to have a GDPR compliant contract in place. The contract must ensure that the processing of Personal Data, by a Processor, will comply with all the GDPR’s requirements and protect the rights of data subjects. The GDPR sets out specific terms that must be included in the contract, as a minimum.

Responsibilities

You are responsible for assessing that the data processor is competent to process Personal Data in line with the GDPR’s requirements taking into account the nature of the processing and the risks to the data subjects.

You must put in place a contract or other legal act that meets all the requirements of Article 28(3) and give the Processor documented instructions to follow (either in the contract or separately).

You must ensure your Processors compliance on an ongoing basis in order for you to satisfy the accountability principle and demonstrate due diligence. In particular, Article 28(3)(h) explicitly requires the Processor to allow for and contribute to audits and inspections, carried out either by the Controller or a third party appointed by the Controller. The methods used to monitor compliance and the frequency of monitoring will depend on the circumstances of the processing.

Our Solution

We can carry out a  level of diligence on proposed data processors to ensure that you meet your compliance obligations under the GDPR and that there is a suitable contract in place.

Costs

Yearly subscription £100 (Waived for Reputation Advocates).

Questionnaire based diligence check £50 per processor.

Template Data Processing Contract £99.

Data Protection Audit £300 per day plus reasonable travelling expenses.