How to ensure proper data processing and supervision of data processor
When you, as a private company, public authority or institution, process personal data, you have a responsibility to ensure that the processing is carried out in a responsible manner. This includes both complying with the law and ensuring that your data processors - external suppliers who process the data on your behalf - also maintain a high standard of data protection. In this article, we will look at how you can identify your data processors, conclude data processing agreements and carry out appropriate supervision to minimise the risk to the security of personal data.
Identify your data processors
The first step is to identify which companies process personal data on your behalf. This may include payroll agencies, CRM providers and other suppliers who work with personal data as part of their services. If you have any doubts, about whether a supplier is a data processor, you should contact them for clarification.
Conclude data processing agreements
Once you have identified your processors, you must ensure that a data processing agreement is in place between you and each data processor. If you do not already have such agreements in place, you should contact the relevant companies to put them in place.
Schedule regular reviews and inspections
To keep track of your data processors and ensure that you fulfil your obligations, it's a good idea to have a set time each year to review your data processing agreements and schedule audits. This will help you keep an overview and ensure you are in compliance with the law.
Assess the risk of each data processor
The risks of a data processor depends on how likely it is that something goes wrong and what the consequences would be for data subjects (e.g. employees, customers, citizens). The higher the risk, the higher the requirements for your supervision of the data processor. Remember that it is the risk to data subjects that you need to consider, not just the risk to your own organisation or authority.
Supervise data processors based on risk assessment
Once you have assessed the risk of each processor, you must supervise them in accordance with this assessment. This may involve reviewing security procedures, examining any data breach reports or carrying out spot checks. Supervision should be proportionate to the risk and can range from thorough inspections for high-risk processors to more superficial checks for those with lower risk.
Document your supervision activities
It is important to keep an accurate record of your audit activities so that you can prove to the DPA and other stakeholders that you are fulfilling your obligations as a data controller. This includes details of when the audit was carried out, which processors were checked, what methods were used and what results were obtained.
Address any problems that arise
If your audit reveals problems with a processor's practices, you must act swiftly to resolve them. This may include requiring the processor to correct deficiencies, strengthen their security measures or change their procedures to better protect the rights of data subjects.
Ensuring proper data processing and supervision of data processors is an important part of complying with the GDPR and protecting personal data. By following the steps outlined in this article, you can take the necessary precautions to minimise risk and fulfil your responsibilities as a data controller. Always remember to stay informed about changes in legislation and best practices to ensure that your organisation continues to protect personal data in a responsible manner.
We also recommend that you familiarise yourself with the Danish Data Protection Agency's guidance on the supervision of data processors..
The images in the article are from DPA Service, a .legal product and service where we can help you carry out audits of your data processors. Read more about DPA Service here.