GDPR Data Processing

There has been much written over the last few months of GDPR, some of it is good accurate information and the rest, well, fish and chip paper is probably it’s best use.

A lot of what has been written has been about the attention-grabbing fines, the debate about consent and the right to be forgotten. There has been very little about the foundation of the data protection principles, the legal basis for processing, the processor-controller relationship and the fact that in many ways the GDPR isn’t very dissimilar to the current Data Protection Act. Whilst I could write war and peace on these subjects there are three points that I haven’t read much about, that are very important. One or two of them might even be an eye opener for you.

Choosing a data processor

As a data controller you have full accountability for ensuring that if you use a company to do your processing (for instance an outsourced marketing company), that you have conducted the right level of due diligence to ensure that they have the right “technical and organisational controls in place to keep data safe and secure”. These measures should be at least equal to yours, and if they sub this out further (let’s say to a contractor), you should also be given the opportunity to decline the sub-processor. Should have the same security measures in place.

It is vital to have the processor-controller relationship, liabilities, and actions (what they can and can’t do, what they should do with your data once the project is finished) set out in terms and conditions. It is both companies responsibility to have this documented, without it, all parties open themselves up to hefty fines if there is a breach. What’s more, if you’re the data processor without sufficient organisational and technical measures in place and there is a breach, the terms of the contract will ultimately lay the fines of the controller at your door, and that could be 4% of their turnover!

Whilst the fines are robust, it is someway short of the reputational damage that would be done to your business. 

Food for thought!


This is one that many just can’t seem to get right. So back to the basics of data protection which will help in the understanding of this. You must have a legal basis to process personal information of individuals, one of these is consent (but there are more). Just because you have consent for the general processing of data, does not mean this is consent for marketing. It is worth noting businesses will need explicit consent for data transfers to non-EEA countries or where there is a high risk in a transfer and for the processing of sensitive data. 

Whilst this regulation has been around since 2002 not many have heard of it!

The tick box off the shelf approach

As you would imagine, GDPR has become a little like cyber was a year or two ago, plenty of people jumping on the band wagon, and many of them not really knowing more than the very basics.

There are plenty offering the silver bullet of an 'off the shelf solution' that can be applied across the board. The issue here is that every business is different, different people, ways of working, nuances and challenges. Whilst there will be some commonalities between companies, it's unlikely a one size fits all approach will work if you want to do it properly.

For example, if we look at a privacy policy that is written correctly and to the guidelines issued by the ICO, it should be produced once you know what the data flows in your business are. What information will be gathered and for what purpose, who they will be shared with and more. If you take two businesses that you know, do these match completely or will there be some anomalies?

Author bio

Jezz Gobran, MD of i-Secured, a Birmingham based data protection and information security consultancy. Helping business understand and meet legal data obligations whilst Protection their reputations and businesses.