1 minute read
5.6 Step 6: Controllers and processors
via the Internet and do it directly themselves. Similarly, standard forms may be provided via such a portal for requests such as objections and processing restrictions. You will need to make sure you have the appropriate workflow behind the forms to ensure they are logged correctly, processed by the right people within the required timescales and that the identity of the requester is confirmed. Some requests will require decisions to be made and sometimes these will not be straightforward, so having a clear process and roles will be important – see the Data Subject Request Procedure in the Toolkit.
The Data Subject Request Register provides a way to log requests and track them through to completion according to the procedure. We also provide template communications in the event that a request is rejected, may be charged for, or a time extension is needed.
Relevant Toolkit documents:
• GDPR Controller-Processor Agreement Policy • Processor GDPR Assessment Procedure • Processor Security Controls • GDPR Readiness Statement • GDPR Letter to Processors • GDPR Contract Review Tool • Processor GDPR Assessment • Processor Employee Confidentiality Agreement • GDPR Readiness Checklist • Data Processing Agreement • Sub-Processor Agreement • EXAMPLE Processor GDPR Assessment
Key tasks:
• Update your contracts to be GDPR compliant • Find out how your processors are protecting personal data • If you are a processor, tell your controllers how you protect personal data • Ensure confidentiality from your employees
The GDPR is very specific about the fact that there must be a contract in place between a controller and a processor (and between a processor and a sub-processor) and about the information and terms that must be included in such a contract. These are laid out in the GDPR Controller-Processor Agreement Policy which, together with the template Data Processing Agreement and Sub-Processor Agreement, may be used as the basis of additional clauses in your relevant contracts, followed by some qualified legal review. Note that the EU is getting better at publishing standard contractual clauses that may be used for this
