Data Processing Relationships

///Data Processing Relationships
Data Processing Relationships2019-08-23T12:30:30+02:00

No organisation is an island

How you manage data processing relationships matters, because no organisation is an island entirely of themselves. Every organisation is a piece of the archipelago, a part of the island chain.

A link in a chain


Your organisations is probably a link in a chain, beginning with a sole or joint controller at the top, generally passing down to a processor and often ending with a sub-processor (or even additional subsequent processors) at the bottom. There are strict data protection laws (including the GDPR in the EU, the DPA in the UK and POPIA in South Africa) that regulate how that chain operates and require each link to enter into written data processing agreements (DPAs) with their neighbours.

You are likely part of an interconnected processing pipeline, where you have processing relationships with other organisations up or down the line. Most organisations give personal data to, receive it from or share it with other organisations – but, few understand what data protection law requires of those transactions.

Have empathy

You should therefore have empathy for everyone else in your processing ecosystem, because you’re all in the same boat.
You should be able to imagine what it would be like to be in their position in the chain by trying to:

  • understand their thoughtse.g. What does your sole controller think are important terms to put in a data processing agreement with you as a processor? Why do they think that?
  • be aware of their attitudese.g. What’s your joint controller’s attitude towards sharing the responsibilities for complying with data protection law where you’re also a joint controller and you’re both responsible? Why do they have that attitude?
  • be sensitive to their feelingse.g. How does your processor feel when you send them an onerous data processing agreement as their controller? Why do they feel that way?
  • and share in their experiencese.g. How does your sub-processor experience their processing relationship with you, wherever you are in the chain (as a prior sub-processor, processor or controller)? Why do they experience it that way?

Empathy with each other in data processing relationships is better for data subjects – and, that’s who data protection laws care about protecting.

Have empathy for each other. Do it for the data subjects, because you care about them. If you don’t care about them, the law will make you with fines and penalties.

Manage data processing relationships with empathy

We believe that you should manage data processing relationships with empathy because it has the following benefits:

  • discover your place in the ecosystem – it lets you find your place in the processing network as a controller (sole or joint), processor or sub-processor by learning where other organisations are relative to you
  • understand the law – it helps you interpret the meaning of the laws that regulate data processing relationships so that you know what rules to comply with and why by seeing them from someone else’s perspective
  • explore your relationships – it allows you to closely examine your relationship with another organisation when they try to get you to agree to something that the law doesn’t require
  • get what you need – it means you’ll get what you need in a processing relationship by understanding what your controller, processor or sub-processor needs from you in return
  • learn what matters – it lets you acquire the knowledge about what’s essential to have in your data processing agreements and what you can survive without

Discovering your place in the ecosystem, understanding the law, exploring your relationships, getting what you need and learning what matters – empathy gives you many advantages when it comes to managing processing relationships well.

Introducing our Data Processing Relationship Programme

We’re creating our Data Processing Relationship Programme to help you manage data processing relationships with empathy. It’s a planned series of online structured activities to help you reap the rewards of an empathetic approach to processor relationships, with the following main features:

  • weekly interactive webinars – attend a one hour live webinar each week, ask your questions and have them answered in real-time
  • four core modules – read the course notes from the webinar in the private members area of our website
  • watch video recordings – watch video recordings of each webinar any time after they’ve happened
  • come back any time – evergreen access to the programme so that you can come back at any time when we’ve updated the content

We’re creating this programme because all organisations process personal data, but they don’t do so on their own. Unlawful processing by your neighbours affects you, if you are involved in the same processing ecosystem. Most organisations haven’t realised that, when it comes to data processing and their relationships with other organisations – no organisation is an island.

Who should join?

You should join this programme if you’re any of the following:

  • in-house legal adviser – a lawyer employed by your organisation whose job is to give advice related to data processing relationships, including drafting and negotiating data processing agreements
  • compliance officers – a person appointed by your organisation to help them comply with relevant data protection laws and empowered with the authority to do so when it comes to data processing relationships
  • anyone else responsible for managing data processing relationships in your organisation – such as a sales person, account manager or anyone similar

What are the outcomes?

You’ll achieve the following results as a consequence of participating in our Data Processing Relationship Programme:

  • improve processing relationships – have better relationships with other organisations that you share data processing with
  • strive towards compliance – take significant steps towards complying with relevant data protection laws, when it comes to your data processing relationships
  • avoid fines and penalties – stand a better chance of escaping fines and other penalties for failing to comply with relevant data protection laws, when it comes to your data processing relationships

About the facilitators

David Luyt
David Luyt

David is the primary facilitator for our Data Processing Relationship Programme. He believes that less is more when it comes to the law and works as an information lawyer because he enjoys simplifying complex ideas into practical insights.

He facilitates interactive programmes, drafts beautiful documents, and writes succinct opinions so that corporates, SMEs, and entrepreneurs alike can use the law in an accessible and meaningful way to accelerate their business.

He has more than seven years experience in information law and a special interest in how it applies internationally, including in cutting edge jurisdictions such as India, Ireland and Southeast Asia – which reflects in the global perspective of his work.

Why Michalsons?

  • We believe in using the law as a tool to prevent harm from coming to people.
  • We have significant practical experience dealing with data protection law.
  • We cover only those areas of data protection law that are most relevant to you, saving you time and money.
  • We provide insight and simplify the issues, empowering you to work through the obligations yourself.

Programme outline

We’ve structured the programme into a planned series of four core modules to achieve the desired results. Each module is a unit of education covering a single topic. Here’s a general description of the main aspects of each module.

Attitudes towards responsibility | Module one

The first module is all about how to be aware of data processing relationships and aims to help you achieve the following outcomes:

  • determine whether you’re processing personal data as part of the same or separate activities
  • work out which organisation is the controller, processor or sub-processor
  • clarify where your responsibilities begin and end

Thinking like the mastermind | Module two

The second module covers how to understand your controllers. The controller in a data processing relationship is the person or organisation that determines the purpose (‘why’) and means (‘how’) of processing the personal data alone or in conjunction with others, although it is more important that they determine why to process the personal data than how. There can be more than one data controller for the same activity, in which case they would be joint data controllers. This module sets out to help you:

  • consider motivations for processors or sub-processors to map activities

Minions have feelings too | Module three

The third module deals with how to be sensitive towards your processors. The processor is the person or organisation who processes the personal data on behalf of the data controller in terms of a written contract or mandate without coming under their direct authority. Your processors may include suppliers vendors, or contractors –- but they don’t include employees, because they are under the direct authority of the data controller. This module plans to help you:

  • learn whether the processor should disclose their sub-processors or how they should
  • decide on appropriate technical and organisational security measures for the personal data

The delegated experience | Module four

The final module looks at how to share in the experiences of your sub-processors. The sub-processor is the person or organisation that the processor may engage as a subsequent processor to process the personal data. The sub-processor may sometimes engage additional downstream processors as subsequent sub-processors. This module tries to help you:

  • decide on what’s important when it comes to data protection law
  • work out which organisation is responsible for which ‘big obligations’

How long is the programme?

This programme will officially begin on Thursday, 4 July 2019. You can watch the webinar recordings at a later date, which means you can work through at your own pace and can go as fast or slow as you like. Most organisations take four weeks to work through the whole programme. An unlimited number of named users in your organisation will get access to the programme. Webinars will take place every Thursday at 10:00am.

FAQ

How long will my organisation have access for once we’ve paid?

You will always have access. And the content will be updated as the law and best practice is continuously developing.

What does the programme NOT cover?

You can also read what is excluded and what the programme is NOT.

How many people in my organisation can have access?

The access is per organisation. So you can have an unlimited number of participants from your organisation. We do however recommend that you don’t have too many so that you are sure who has accountability for driving your compliance.

What if we still need help on specific questions we have?

You’re welcome to contact Michalsons at any time. We will try to answer where we can, and if there is significant research or work required we will provide you with quotations to do the work.

Testimonials

The workshop demystified a substantial amount of issues and did what it was supposed to “simplify” the law – Much appreciated!

Excellent presenter! Very knowledgable and read his audience needs well.

Price

We charge a once off upfront price for lifetime access to the programme. Click join to complete the programme registration form. You choose the currency and we will send you an invoice for payment. The prices listed include VAT.

EUR       710
USD      800
ZAR   12 000

100% Money Back Guarantee

We will refund you if you do not think you received value.

Join

Tackle your compliance challenges now by clicking on “Join” above!

If you’re still not sure…

If you’re still not sure whether the programme is for you, complete our free high level data protection impact assessment.

By completing this data protection impact assessment questionnaire, we’ll be able to assess:
the impact of applicable data protection laws (like the POPI Act and GDPR) on your organisation, and
the best way forward – what action will meet the requirements of your organisation.

Based on the information you provide, we’ll either send you an email with next steps to take or set up a data protection impact assessment call with you to discuss.