Guide to GDPR and Third-Party Data Processors

Your organisation’s relationship with third-party data processors is crucial for GDPR (General Data Protection Regulation) compliance.

The Regulation states that data controllers can be held liable for breaches further down the supply chain.

There’s a good reason for this rule. Third parties often provide vital services, such as payroll and software development, and disruption to these systems will affect both parties.

Incidents like this occur more often than you might think. A Ponemon Institute and RiskRecon study found that, been 2021 and 2022, 54% of surveyed organisations suffered a data breach caused by a third party.

Making data controllers responsible for the GDPR compliance practices of third parties ensures that they take care when choosing suppliers. If they pick one with poor information security practices, or if they fail to perform due diligence on partners, the data controller could face the consequences of a data breach – including a potentially sizeable fine.

What is a third-party data processor under the GDPR?

Under the GDPR, the collection of personal data is split into two roles: the data controller and the data processor.

A data controller is the person or group that decides when and why an organisation collects personal data, whereas a data processor is the person or group that does the legwork. It sources the information, collates it, stores it and protects it.

In some cases, the data controller and the data processor are the same group. That is to say, an organisation determines a need to process personal data and then carries out that activity. However, there are many instances where the data controller outsources data processing role to a third party.

Securing the data supply chain can be a challenge. Under the GDPR, data controllers are liable not just for their compliance but also for that of third-party processors.

Contracts and questionnaires, while valuable components of any due diligence process, are necessarily limited.

They will be best suited for low-risk third parties, while audits are necessary for those that pose a greater risk.

Read Third-Party GDPR Audits – Conducting due diligence to find out how to get started. 

GDPR risks with third parties

To avoid falling foul of the GDPR, data controllers must understand the data protection risks in the way that processors operate. There are six different types of third-party risk, but from a GDPR perspective, information security risk and compliance risk are the two most relevant.

Information security risks refer to scenarios that could result in a data breach. This includes any instance where the confidentiality, integrity or availability of information is compromised. Data breaches can occur, for example, when an employee loses physical files or throws them away without shredding the documents.

Likewise, information security risks occur when an organisation’s systems are knocked offline, rendering them unable to access their files.

Any scenario like this should be considered an information security risk and will have GDPR ramifications.

That leads us on to compliance risks. This covers security incidents such as the ones we discussed above, but it also covers processes and policies related to relevant laws and regulations.

For instance, does the data processor have documentation proving that personal information has been processed in line with the GDPR’s requirements? Has the organisation implemented “appropriate technical and organisational measures” to protect personal data?

Although your focus will presumably be on GDPR compliance, you should also consider internal policies and frameworks, such as ISO 27001.

Many organisations are contractually obliged to certify to the Standard to demonstrate their commitment to information security.

If you are one such organisation, it’s essential that suppliers meet ISO 27001’s compliance requirements. Even if there is no contractual necessity, an organisation that produces ISO 27001 certification can quickly prove that it takes information security seriously.

Reviewing your data processor contracts

The GDPR states that data controllers and data processors must sign written contracts outlining their rights and responsibilities when processing personal information.

These contracts should include a commitment to GDPR compliance alongside any specific measures that should be taken to achieve this. For instance, both parties should agree on how to handle certain obligations, such as transferring personal data and fulfilling data subjects’ rights.

The contract should also summarise established rules under the GDPR for handling personal data. For instance, third-party data processors may act only on the data controller’s documented instructions, and personal information should only be processed if there is a lawful basis to do so.

Likewise, data processors must not be permitted to hire a sub-processor without prior approval, and they are required to delete or return all personal data to the data controller at the end of the contract.

Getting the contractual terms right is an essential component of hiring a third-party data processor. A mistake at this stage could jeopardise your GDPR compliance posture, and you might face enforcement action or a fine.

At DQM GRC, we understand how difficult it can be to manage third-party relationships. If you’re looking for help, we offer a range of third-party risk management solutions led by a team of expert consultants.

Whether you’re looking for at the due diligence process, supply-chain risk management, vendor risk management or third-party processor risk management, our experts can help you at every step.


  • Luke Irwin

    Luke Irwin is a former writer for DQM GRC. He has a master's degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.

    View all posts

Add a Comment

Your email address will not be published. Required fields are marked *