GDPR question for outsourced paraplanners
Hi there. I had a meeting this morning with a guy who deals with GDPR (well, actually he deals with the fallout when people have problems with GDPR related things like data breaches, etc), and he was telling me that any clients that I sign up need to give me a data processing agreement (basically, the end client's agreement for me to process their data). Does anyone have experience of this? Do I need to do this or is this being over cautious? I'd be glad to see others' experience as I'd like to make sure I get this right from the start.
Thanks for your help
Comments
I would say you definitely need this if you are handling client data.
Yes, this would typically be covered under a Data Processing Agreement between you and the Data Contoller (IFA). The DPA would cover how you (the Data Processor) process the personal data of the Data Controller's clients in order to provide your services.
Hi Andy, this depends on whether you are a sub processor, or data controller. Edevan5 is right, if you are a data controller then it's your responsibility to have this agreement in place but if you are a sub processor (as most outsourcers are) then it is the data controller that needs the agreement in place. Ordinarily the adviser's terms of business should cover this and your agreements with them should cover your role as a sub processor.