FREE CHAPTER from ‘A Practical Guide to GDPR for Schools’ by Forbes Solicitors



Who is a Data Processor?

As discussed earlier, the school is a ‘Data Controller’ as it is the organisation who decides the manner and purpose of how personal data is collected and used. In contrast, a ‘Data Processor’ is an organisation or individual that processes personal information on behalf of a Data Controller – so the school decides whether or not to provide the Data Processor with personal information in the first place, what personal information to send and gives the Data Processor instructions as to what to do with the personal information. A Data Processor is not an employee of the Data Controller. Practically speaking, a Data Processor is a third-party supplier with access to personal information.

In a school setting, common examples of Data Processors are:

  • Caterers and cleaners;

  • Outsourced payroll providers;

  • Outsourced HR providers;

  • IT providers;

  • Teaching and learning portals;

  • Organisations providing you with reports and analysis of your exam results;

  • Confidential waste disposal;

  • Off-site data storage including cloud based services.

What is the difference between a Data Controller and
a Data Processor?

The GDPR makes a distinction between Data Controllers and Data Processors and there are a number of factors to consider when employing the services of a Data Processor (discussed further in the section ‘What is Required’ below). Therefore, it is important to consider whether your third-party suppliers or partners are Data Processors or Data Controllers in their own right.

The key difference between a Data Controller and a Data Processor is the level of independence each party has in using personal data. Data Processors only use the information they are given under the instructions of the Data Controller. Guidance produced by the European Data Protection Board1 says you should look at the following factors to consider whether a third party is a Data Controller or a Data Processor:

  • The level of instructions given to the party processing personal information which determines the degree of independence a Data Processor can exercise;

  • The monitoring by the Data Controller of the execution of the service; and

  • The expertise of the parties – in some cases, the role and professional expertise of a service provider will play a predominant role, which may result in the third party being a Data Controller in its own right.

In a school setting, common examples of other Data Controllers are:

  • Local authority;


  • DfE;

  • Pension providers;

  • Trade Unions;

  • Solicitors;

  • Accountants;

  • Exam boards;

  • Police;

  • NHS.

What is required?

The school is responsible for ensuring Data Processors comply with the GDPR. Therefore if the school engages a Data Processor who does not comply with the GDPR, the school could face enforcement action and potential fines from the ICO and potential claims for compensation from affected individuals.

The GDPR places an obligation on the school, as a Data Controller, to only use Data Processors who can provide you with sufficient guarantees that they have appropriate technical and organisational security measures in place that meet the requirements set out in the GDPR2.

In addition, the school is required to have a written contract with all its Data Processors which fulfils certain requirements set out in the GDPR. The GDPR is very specific about what the contract must include3. In particular, the contract with the Data Processor must confirm that the Data Processor will:

  • Only process personal information on documented instructions of the school;

  • Ensure that persons authorised to process the personal information (e.g. employees of the Data Processor) are subject to a duty of confidentiality (e.g. in their employment contract);

  • Take all necessary security measures as required by the GDPR;

  • Not engage another Data Processor (e.g. a sub-contractor) without the written authorisation of the school;

  • Assist the school in fulfilling any of your obligations, as Data Controller, if an individual makes a subject access request (or another request under the GDPR);

  • Assist the school in fulfilling your obligations to take all necessary security measures, notify you of any Personal Data Breach and assist you in conducting a Data Protection Impact Assessment (DPIA) where applicable;

  • Delete or return personal information to you at the end of the provision of services; and

  • Make available to the school all information necessary to demonstrate compliance with the GDPR, including allowing for audits and inspections conducted by the school or an auditor on the school’s behalf.

This written contract could form part of your supplier’s standard terms and conditions or could be through a standalone data processing agreement.

Practical Steps to Take

Given that the school is responsible for ensuring Data Processors comply with the GDPR, we have made some practical suggestions below of steps to take to ensure you comply with GDPR.

Existing Third-Party Suppliers

Where you have existing contracts with suppliers in place, we suggest taking the following steps:

  1. Make a list of all your existing third-party suppliers who are Data Processors;

  2. Review the terms of the contract with your suppliers to see whether the contracts contain clauses which cover all those listed in the section ‘What is Required?’ above;

  3. Send suppliers a GDPR questionnaire to complete so that the school can assess the supplier’s level of GDPR compliance; and

  4. If the terms of the contract do not include the necessary GDPR clauses, request that the supplier sends you a data processing agreement for you to sign.

New Third-Party Suppliers

Where you want to engage a new third-party supplier, we suggest taking the following steps:

  1. Ask the supplier to complete a GDPR questionnaire so that the school can assess the supplier’s level of GDPR compliance;

  2. Review the terms of the proposed contract sent by the supplier to see whether the contract contains clauses which cover all those listed in the section ‘What is Required?’ above;

  3. If the proposed contract does not contain the necessary clauses, ask the supplier to amend the contract so that it complies with the GDPR.

Once you have assessed the level of GDPR compliance the Data Processor has and have ensured the correct contract terms are in place, your responsibility as a Data Controller does not end there. You should have procedures in place to review your Data Processor’s compliance on an ongoing basis (e.g. annually or at the time of renewal of the contract) in order for to you to be able to demonstrate your own compliance with the GDPR and, in particular, the ‘accountability principle’.



2Article 28(1) General Data Protection Regulation (EU) 2016/679

3Article 28(3) General Data Protection Regulation (EU) 2016/679