WilsonCooke Logo
Back to thoughts

GDPR for data processors – what you need to know

Mark’s video on GDPR for data processors – watch to check you’ve not missed anything obvious before the legislation comes into effect on May 25th.

[VIDEO TRANSCRIPT]

Q: What is a ‘data processor’ in terms of GDPR – how does it differ from a ‘data controller’? 

Mark answer: A processor is any person, agency or company that does something with personal data for a data controller – another party.

The controller is the ‘data owner’ – they instruct the processor to do something with that data.

WilsonCooke, as a marketing agency, acts both as a processor – for our clients’ data (that we hold or do something with for them) and as a controller – for our employees’ data (payroll and contact information).

Q: What is MY responsibility, as a data processor? 

M: The starting point is to understand the legislation and to seek relevant legal guidance and advice, which is something that we’ve done.

We’ve worked on a GDPR project to understand our responsibilities as a data processor.

The other key aspect is to take advice and direction from the data controller – who ultimately determines what they want you to do with their data as a processor – and act on that.

Having clarity as far as agreements and contracts in place that determine this is really important also.

Q: What are the first steps I need to take – in my business AND with data controllers?

M: It starts with a data audit.

Understanding and reviewing the data that you hold in the systems that you manage and maintain, what that data is, how personal it is – and drawing up an action plan for how you need to approach that for each of the data controllers.

Staff training is also really important.

That’s workshops, policies, processes so staff understand their responsibilities and how they can ultimately impact and affect this – and how GDPR is going to affect the work they do on a day-to-day basis.

From a data controller perspective, what you’re also then able to draw up are policies & processes that help to ensure that what they’re doing is lawful – some of which refers to ‘lawful consent’ – a vital starting point when it comes to GDPR.

Q: How do I future-proof my business and operations for GDPR?

M: Future-proofing comes from placing privacy and security of personal data at the heart of everything you do.

For example, running privacy assessments and impact assessments at the start  of projects, to make sure you identify any needs around personal data.

What you’re able to then do is plan and prepare for that right at the beginning – the worst thing you can do is try to retrospectively ‘fit in’ something to do with security or privacy around personal data when you get to the end.

So the more you can hit that at the beginning and start to implement ‘privacy by design’ via training and workshops within the relevant areas of your business, that will be a big step towards future-proofing anything you do.

Q: How do I reassure my clients about my understanding of GDPR?

M: Reassurance comes from a consistent message regarding the importance of this legislation and how much impact it can have on any business.

It’s quite dangerous for companies to feel as though it’s not important or relevant to them – ultimately it’s relevant to everyone and the whole aspect of a business.

We’ve been really consistent with our approach to up-skill our staff.

This is fed by our commitment to become ISO 27001 Certified and ensure that – as a company – we’re taking GDPR as seriously as we should and that this message is translated to our clients.

Thanks Mark!

For more in-depth detail on GDPR, see the Information Commissioner’s Office.

To talk about how your business handles personal data, please contact us.

Wilson Cooke
March 28th, 2018
WilsonCooke