Frustrated man

Controller/Processor life-cycle

Top 3 data protection program issues and how to start resolving them: #24

Understanding processing roles is often complex and can be a major source of irritation when the various parties don’t agree, or misinterpret each others’ roles, especially during the early phase of the lifecycle.

And although it may sound obvious, a life-cycle phased approach is essential with gates, or exit criteria defined between the various phases.

If not, things can turn sour as outlined in the following issues we often come across.


#1 Processor selection

Selecting a processor should follow your company’s vendor selection process, assuming you have one.

It may be anchored in procurement or sourcing, again, if you have these functions.

The process should refernce a formal set of requirements that allows comparison of various parties.

This can go badly wrong when overzealous colleagues are coerced by the sales talk of a third party to move fast, resulting in the data protection team having to work under pressure, and without the ability to actively take part in comparing vendors…because only one was considered!


#2 Insufficient due diligence

Coupled with the first issue, critical due diligence steps get bypassed and your company enters into an agreement with a processor where little is known about them, other than their solution or services are favoured by the business, often with little focus on, or understanding of data protection.


#3 Imbalances between parties

There’ll be a world of difference between whether you are dealing with one of the large global players, or a smaller niche processor.

Here, imbalances of power come into play.

On the one hand, you’ll have little opportunity to push your requirements through to the bigtech processor, and will probably need to accept working to their agreement, putting you on the back foot.

At the other extreme, if you push your stringent requirements too hard, it may be beyond the financial capability of a niche player to live up to them.

You then face a business decision whether to work at risk with them.


Purpose and Means help Data Protection Leaders refresh their work focusing on business alignment and orchestration.

We’re based in Denmark, but operate globally.

If this issue resonates, book a call to discuss your requirements!

Petruta Pirvan
Tim Clements
April 6, 2023

Blog

Other posts

June 2, 2023
Disseminating policies
Tim Clements
May 27, 2023
Ineffective controls
Tim Clements
May 26, 2023
DPIA on a page
Tim Clements
May 25, 2023
GDPR on a page
Tim Clements
May 24, 2023
Explaining Data Controller/Data Processor obligations
Tim Clements
May 23, 2023
5 years on - are these perspectives still relevant?
Tim Clements
May 22, 2023
GDPR 5 years old - is it really?
Tim Clements
May 11, 2023
The US privacy landscape: complex and in a state of flux
Tim Clements
May 9, 2023
Employee engagement
Tim Clements
May 4, 2023
Unsure of which IAPP course fits your needs?
Tim Clements
May 2, 2023
Managing risk
Tim Clements
April 27, 2023
Interactions and inter-dependencies with others
Tim Clements
April 13, 2023
Copy/paste consultancies
Tim Clements
April 6, 2023
Controller/Processor life-cycle
Tim Clements
March 30, 2023
Responding to an audit
Tim Clements
March 26, 2023
Being prepared for a data protection audit
Tim Clements
March 23, 2023
Data protection templates
Tim Clements
March 11, 2023
Data protection program control
Tim Clements
March 6, 2023
Reporting data protection status
Tim Clements
March 2, 2023
The lone data protection army
Tim Clements