Due diligence for controllers: What you need to do when appointing a processor (including tips for your data protection agreement)

What is a data processor?

A data processor is any third-party that you engage to process personal data on behalf of your business. This could include, for example, software providers, IT support, outsourced HR services and consultants.

“Processing” has a wide definition under data protection laws and includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data. This means that any third party that has access to your personal data could be a processor. You can find out more about how to determine if someone is a processor here.

What to do before appointing a data processor?

Controllers are subject to a number of legal requirements under data protection laws. One of these requirements is that controllers can only use a processor that provides sufficient guarantees that they will implement appropriate technical and organisational measures to ensure their processing meets UK GDPR requirements.

Below are three ways to ensure that the processor being engaged will provide those guarantees:

1. Due diligence checks

Controllers are responsible for assessing that the processor is competent and qualified enough to process the personal data in line with the UK GDPR’s requirements. Failure to do so could put the controller in breach of data protection laws. This assessment should take into account the nature of the processing and the risks to the data subjects - usually due diligence checks on processors will assess the following measures / requirements:

• Security measures - controllers must ensure that processors have appropriate security measures in place to protect personal data they have access to. This could include by requiring processors to hold certain security certifications (e.g. ISO 27001) or checking that they have other internal security procedures in place that mirror the controller’s own security protocols.

• History of breaches - knowing whether a processor has suffered personal data breaches previously, and if so how they mitigated and handled those breaches, can be an important indicator of the processor’s ability to meet UK GDPR requirements going forward.

• Onwards transfers - some processors will sub-contract elements of their business operations and therefore require the use of sub-processors in order to fulfil their processing activities. Knowing who those sub-processors are and carrying out due diligence on those sub-processors is key to ensuring that personal data will be dealt with to a high standard.

• Location of processing - if personal data is transferred, or accessed from, outside of the UK and EEA, data protection laws require additional safeguards to be put in place. It is therefore key to find out where processors host and store personal data - some controllers will require processors to only hold their personal data within the UK and EEA to ensure it is appropriately safeguarded.

The checks should be carried out before a processor is appointed, but should also be reviewed and updated regularly to ensure that the processor is continuing to meet the standards required. You should keep a record of all due diligence assessments that you carry out on processors, as these can help your business demonstrate compliance with the accountability principle in the UK GDPR.

2. Get a data protection agreement in place

A data protection agreement is not only a legal requirement when appointing a processor, but can be key to managing your processor relationships. It can boost your processor relationships in the following ways:

• Clearly define the processing scope - the data protection agreement will set out the scope of processing that the processor is being engaged to carry out. This means that both parties are clear on exactly what is expected of the processor, and ensures that the processor does not carry out any processing that is not expressly allowed by the controller.

• Processor obligations - the data protection agreement will include a number of obligations on the processor. This could range from confidentiality obligations to obligations to assist the controller with compliance with its own data protection law obligations. For more information about these obligations, see our FAQs for processors.

• Audit process - a data protection agreement will include a right to inspect the records held by the processor about its processing activities, and to carry out an audit to check the processor is complying with the terms of the data protection agreement. This can be key to ensuring that a processor is meeting the standards that are required by data protection laws.

3. Carry out a data processing impact assessment (DPIA)

Depending on the processing that will be carried out by the processor, you may need to carry out a data protection impact assessment to see if that processing can be carried out lawfully. Under Article 35(1) of the UK GDPR, a controller must carry out a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of individuals e.g. large-scale profiling or use of innovative technologies to process personal data. The ICO’s template DPIA can be found here.

Why does my business need a data protection agreement?

It is a legal requirement of the UK GDPR that a data protection agreement is put in place where a controller appoints a processor to process personal data on its behalf. But as well as being a legal requirement, a well-drafted data protection agreement can be key to a positive relationship with processors. By clearly defining the processing scope and the processor’s obligations, it will be clear from the outset of the relationship exactly what is expected from the processor.

A data protection agreement can also help businesses demonstrate their compliance with the accountability principle under data protection laws. The accountability principle means that controllers must comply with the UK GDPR accountability obligations, such as maintaining records and other documents, carrying out data protection impact assessments and appointing a data protection officer (where required).

How can Docue help?

Docue’s data protection agreement template has been drafted, and is maintained by, privacy lawyers to ensure that it complies with the requirements of data protection laws for contracts between controllers and processors. As well as the mandatory requirements, it also contains a number of optional clauses (e.g. liability and indemnity) that can be added to suit your situation, if required.

The data protection agreement template contains guidance notes throughout, so that you are easily guided through the process and can create a high-quality data protection agreement in no time.

Sign-up now to use Docue's data protection agreement template.