New guidance on the supervision of data processors
As a researcher, if you work with external suppliers, for example in the form of systems for the processing of personal data, you are under a duty of supervision.
Managing a research project requires administrative oversight and compliance with numerous regulations. The Research Data Office is therefore producing several guides on the subject. The latest guide is about the supervision of data processors.
This is relevant if, as a researcher, you use systems or engage third parties that do not have a specific research purpose to carry out tasks involving the processing of personal data on your (AU’s) behalf.
Supervision means that you must check and follow up to ensure that the supplier is processing personal data in the agreed manner.
Supervision is straightforward, but must reflect the risks
The supervision of data processors does not have to be a time-consuming or complicated process. The supervisory approach must reflect the risks associated with the processing. Therefore, in many cases, it will be sufficient to obtain confirmation or status from the data processor that the processing is being carried out as agreed and in accordance with data protection rules (better known as the GDPR).
Step-by-step guide on website
On the website, you will find a guide to help you decide which type of supervision is appropriate in your case. Templates are provided to make supervision easier.
Link to guidance page here.
What is a data processor?
A data processor is a company, public authority or other party that processes personal data on behalf of AU and for AU’s purposes.
For example:
- A consultancy firm
- A cloud solution
A system for collecting research data from an external supplier etc.