It’s fairly common for an organisation to pass on the actual handling of data to a third-party organisation. Sometimes never even seeing, or having access to, the data themselves at all. This doesn’t mean that they’re exempt though.
The GDPR identifies two kinds of organisations who have responsibilities under the regulations - Data Controllers and Data Processors.
At the top of any chain of data flow is the Data Controller. This is the organisation who makes the data decisions: what data they need, why they need it, how they’ll get it, what they’ll do with it, how they’ll store it, and so on…
Below the Controller is the Data Processor (often there’ll be many Processors who themselves sit above a chain of sub-processors, but let’s not complicate things). A Data Processor handles data on behalf of a Controller…and that’s it. They have no ‘control’ over the data, they make no decisions – they act solely on the instructions of a Controller.
It’s impossible to have a Processor without a Controller sitting above them somewhere, telling them what to do with the data. Conversely, it’s impossible to have data handled by a third-party Processor on your behalf, without being the Controller – and Controllers have a whole heap of duties to perform under the GDPR.
GDPR eLearning courses
You now have less than six weeks to become GDPR compliant.
If you haven't started working towards compliance, that can sound scary. In fact, even if you have started to work towards compliance or you're pretty confident you already are compliant, it still sounds pretty scary!
But fear not! With our GDPR eLearning courses, you can get your organisation on its way to compliance in less than an hour. It's by far the easiest and most convenient way to get things sorted and you can get free trial access to either of our courses, at any time - it's a no-brainer!