How to manage data processing as a service provider

How you manage data processing relationships matters, because no organisation is an island entirely of themselves. Your organisation is probably a link in a chain, beginning with a sole or joint controller at the top, generally passing down to a processor and often ending with a sub-processor (or even additional subsequent processors) at the bottom. There are strict data protection laws that regulate how that chain operates and require each link to enter into written data processing agreements (DPAs) with their neighbours.

Do you have the necessary abilities, knowledge or skills to manage your data processing as a service provider in terms of relevant data protection laws?

If you are a processor in the chain, then you have obligations going upstream to your controllers and downstream to your sub-processors. This lens is a detailed examination of your obligations as a processor in a data processing relationship chain.

What laws apply to your processing?

Relevant data protections laws, such as the GDPR in the EU, CCPA in the US state of California and POPIA in South Africa apply to your processing as service provider. They all have slightly different rules that apply where you fulfil the role of the processor, but there are some broad principles that are common across all jurisdictions, namely that the processor should:

  • follow the controller’s instructions; and
  • take reasonable steps to secure the personal data in their care.

This makes sense, because the controller has the lion’s share of responsibility for having to comply with relevant data protection laws and could be held liable for a breach, leak or other data security incident originating from their processor. But what about your position as the processor?

It is not great for business for your customers to dictate the details of how you run your organisation as a service provider, even where they are your controller from a data protection perspective. Where can or should you refuse to follow their instructions? And what can you do to protect yourself in the event of a data security incident? These are common pain points that arise in the context of processor-controller relationships and we will deal with them in detail in this lens.

Will joining this lens help my organisation comply?

Yes. That is the short answer. We understand that you may be working with limited resources and budgets. We want to help you in the most efficient and cost-effective way. Our data protection lens for processors will help you. This lens combined with our practical core programme takes you through the key actions an organisation acting as a processor must take to comply.

Who should join the processor lens?

If you have joined one of our core programmes then you get complimentary access to this lens. This lens is for all organisations that act as processors and includes:

  • service providers;
  • suppliers; and
  • contractors.

What are the outcomes?

We believe that as a processor you should manage data processing relationships with empathy because it lets you see things from the other party’s perspective, which means it:

  • lets you find your place in the processing chain;
  • helps you interpret the laws that regulate data processing relationships;
  • allows you to examine your relationship with another organisation;
  • means you will get what you need in a processing relationship; and
  • lets you learn what is essential to have in your data processing agreements.

About the facilitator

David Luyt
David Luyt

David believes that less is more when it comes to the law. He works as an information lawyer because he enjoys simplifying complex ideas into practical insights. He is uniquely positioned for any organisation acting as a processor seeking a privacy specialist to ensure compliance peace of mind. He has formalised his experience by obtaining his CIPP/E from the IAPP and has a special interest in how data processing agreements are required by law. David has been an associate at Michalsons for the past seven years.

Why Michalsons?

  • We believe in using the law as a tool to prevent harm from coming to people.
  • We have significant practical experience dealing with data protection law.
  • We cover only those areas of data protection law that are most relevant to you, saving you time and money.
  • We provide insight and simplify the issues, empowering you to work through the obligations yourself.

How long does it take to work through the lens?

You can work through this lens at your own pace and go as fast or slow as you like. Depending on the data protection processes you already have in place, it could take you a few hours or a few weeks to work through this lens.

Price

A lens is a complimentary programme that you get access to by joining the data protection programme. It contextualises data protection for a particular audience, such as community schemes, non-profits, or schools.

These lenses serve as an additional guide as you work through the core programme.

100% Money Back Guarantee

We will refund you if you do not think you received value.

Tackle your compliance challenges now!

Join