The 9ine Blog

9ine helps thousands of school leaders and IT teams protect their stakeholders by publishing critical changes, updates and best practice blogs. 

Subscribe to 9ine's monthly newsletter, 9News to receive monthly blogs delivered right in to your inbox.



Processor or controller – your GDPR obligations

To comply with the GDPR, you need to know when you are a Data Controller or a Data Processor and what your obligations entail. In fact, you may even be a Joint Controller. 

Here, in the latest article in our series of GDPR guidance, we explore the roles and the information you need to know. 

The GDPR requires organisations, including schools, colleges, and universities to document the data processing activities they undertake, and assess these against Article 32 (security of processing). 

For each process, you also need to identify whether you are the Data Controller, Data Processor or Joint Controller. 

  • A Data Controller is:

    “A natural or legal person who (either alone, jointly or in common with others) determines the purposes and means of the processing of personal data.”

    Where two or more controllers act together, they are Joint Controllers. 
  • The Data Processor is:

    “A natural or legal person (other than an employee of the Data Controller) who processes personal data on behalf of the Data Controller.”

Under Article 30, it is mandated that organisations document their records of processing. That, in turn, enables the determination of roles and the assessment of technical and organisational security measures for processing proportionate to the resources of the organisation. 


GDPR Readiness Tool Kit

Our GDPR Readiness Tool Kit has been designed to allow organisations to easily and efficiently undertake the data mapping process. It also enables you to identify whether you are the controller, processor or joint controller. 


Where you are the Controller … 

… and have providers processing data on your behalf (for example, cloud-based systems, IT managed service companies, and bus companies which are provided health data on the students they transport), they need to be mandated to process on clear instruction from you. They also have to ensure they comply with various Articles, including Article 32 - 36.


In making sure they comply, your contract with them needs to clearly state: 

  • The processing activities they are undertaking.
  • The technical and organisational measures used to protect the data being processed.
  • How they will enable you to comply with the various rights that can be exercised.


Where you are the Processor …

You may have other data controllers asking you for evidence of compliance with Article 32 and Article 30 and how you will support them with Article 33 - 36. To be able to do this, you need to have completed the data mapping process, with assessment versus Article 32 and Data Protection Impact Assessments (DPIAs) where necessary. 

Importantly, regardless of whether you are the processor or have providers process data on your behalf, the controller has the right to audit your compliance with the GDPR. 

If a regulation is giving the opportunity to allow for audit, then it is fully expected that organisations will be expected to use that right as an appropriate organisational and technical measure for compliance. 

In defining the relationship between your organisation as the controller and your processors, you will need to review: 

  • The legal contracts you have with suppliers.
  • The privacy statement on your website.
  • The disclaimer on your email.


You will also have to update various other documents to ensure you have the relevant protections in place and inform data subjects of which information is being shared with external parties. 

Further, you may consider having suppliers to your organisation complete an Information Security Questionnaire to evidence compliance with the codes of conduct and certifications that are mandated by the GDPR. 


Suite of education-focussed legal documents

At 9ine, we are working closely with our clients to ensure the relevant protections are in place. 

We are also working together with Kemp IT Law, the global leaders in data protection, winners of the Fintech 2017 Awards for Data Protection and whose founder, Richard Kemp, is identified as being one of the top five IT lawyers in Europe. 

This has enabled us to create a specific suite of ready-to-use, education-focussed legal documents that can be cost-effectively used to support your compliance under the GDPR. 

Whether you are the processor, controller or joint controller, it is very clear within the GDPR that you need to understand the processing activities you undertake and the protections you apply to those activities. 

Our GDPR Readiness Tool Kit enables you to complete this process. Where more support is required we also provide: 

  • GDPR Certified Practitioner courses for those responsible for GDPR compliance.
  • At-school training courses for your staff in communicating the impact of the GDPR and steps for compliance.
  • Assessment of your IT systems for compliance with the 10-steps to Cybersecurity and risks, given the obligations of Article 32.
  • Cybersecurity penetration testing of systems and web applications.
  • Data protection advisory for developing and implementing your subject access request policy, process and procedure.
  • Technical and data protection consultancy advisory service to help you to complete data protection impact assessments.
  • Ongoing, annual service plans to support your school in maintaining compliance.