Ïã¸ÛÁùºÏ²Ê×ÊÁÏͼ¿â

In addition to contractual obligations set out in GDPR, a processor has the following direct responsibilities under the GDPR. The processor must:

• only act on the written instructions of the controller
• not use a sub-processor without the prior written authorisation of the controller
• cooperate with supervisory authorities (such as the ICO)
• ensure the security of its processing
• keep records of its processing activities
• notify any personal data breaches to the controller
• employ a data protection officer if required
• appoint (in writing) a representative within the European Union if required

A processor should also be aware that:

• it may be subject to investigative and corrective powers of supervisory authorities (such as the Information Commissioner's Office (ICO))
• if it fails to meet its obligations, it may be subject to an administrative fine
• if it fails to meet its GDPR obligations it may be subject to a penalty
• if it fails to meet its GDPR obligations it may have to pay compensation

If a supplier experiences a data breach, when data has been compromised in some way (for example disclosed to the wrong individual, lost, mislaid, deleted in error), they need to report it to the Council as soon as possible and will need to investigate what has led to the breach and what action now needs to be taken to mitigate or contain the impact of the breach. The Council has a data breach form that can help with the assessment.

Should a data breach occur that is likely to result in a risk to individuals' rights and freedoms, there will be a direct obligation under the GDPR to inform the Information Commissioners Office within 72 hours of the breach taking place. Processors can now be directly penalised for data breaches and receive fines for non-compliance.