Personal data breaches: the responsibility of the data processor

One of the aims of GDPR is “accountability” and this is emphasised when it comes to personal data breaches – that is breaches of security which lead to damage. The potential damage is clearly illustrated in Recital 85 of the GDPR to include “discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality”.

By now most relevant organisations will no doubt be honing their breach processes and procedures and running mock tests. However, it seems that the emphasis is very much on the data controller’s duties which will include notifying the relevant supervisory body (usually the ICO for those in the UK) of a relevant breach within 72 hours of becoming aware of it.

Following that logically means that a reliable breach procedure requires data processors to be on the ball about what constitutes a data breach and what their obligations are. Article 32.2 places a very firm duty on data processors who must notify the data controller “without undue delay after becoming aware of a personal data breach”.

Many data processors will be employees of the data controller and, as such, there is a duty to provide adequate GDPR awareness and training to those data processors because they are employees. There is no “official” survey as to how many employees/data processors have received that awareness training but recent research by Coventry University found that only 26.7% of IT staff has received some GDPR communication or training whilst 64.6% of employees who have access to personal data had not received any GDPR communication or training.

Is it fair to rely on someone processing data to just be aware of the changes brought about by GDPR without any effort on the employer’s part? A data processor’s failure impacts on every data subject involved and is likely to lead to damage to the data processor’s own reputation, aside from the consequences that the data controller themselves must face.

There does seem to be a general reluctance to jump on board with GDPR with even those who are more willing to step up having very small or non-existent budgets. Computer weekly reported that only 10% of UK companies polled at the end of 2017 had allocated a budget for GDPR compliance. Somewhat embarrassingly there are even reports that at the end of 2017 US companies had made more progress with GDPR compliance then UK organisations (22% in the US compared to 8% in the UK).

GDPR compliance is not a choice, its mandatory and so is an employer providing adequate training for their employees. With budget and time friendly online options being available GDPR training is within every businesses’ budget.  It remains to be seen what action employed data processors will take when mistakes are made through this lack of training and knowledge in terms of their employment law remedies but with at least the prospect of heavy fines are employers sure they want to take that risk?


By Bob Edwards, GDPR and CyberCrime consultant, Lawhound

GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at