Customer Breach Support

Decoding the data controller and processor relationship in a data breach

August 2019

What would you do if your data processor had a data breach? This paper explores the complexities of the relationship between data processors and data controllers.


When a data processor has been impacted by a data breach and sensitive data may be in the hands of cyber criminals, the next target will be the actual data subjects; whether that is for a spurious phone call scam or to hack into their online accounts. As the data controller, the sooner your customers know they are at risk the sooner they can take action to protect themselves. Therefore, quick notification is vitally important.

Understanding clearly who will do what, how and when in the midst of a data breach is key to the delivery of a successful data breach response and ensuring the protection of your customers, not to mention your brand and reputation.

Our key considerations

From our experience, very few businesses conduct tabletop exercises with their processor to discuss and agree in detail how they would handle a data breach.

When a data processor is impacted by a data breach, which affects multiple data controllers, there are three questions relating to cost and complexity that need to be addressed:

  1. Who picks up the costs, across processor and controllers, of dealing with the data breach?
  2. How do you minimise complexity to ensure that customers receive the best service?
  3. What is the overall lowest cost route for delivering customer breach support?

Looking ahead

GDPR clearly lays out the requirements placed on data processors and the expectations on data controllers to assure standards are met. As ever, with situations such as data breaches, clarity of responsibilities will be key in doing the right thing for customers who can easily be forgotten.

It is clear that at a point of operational crisis, the controller-processor relationship is one that must be fully understood and supported by comprehensive agreements and associated capabilities. This will ensure that customers get a fast and effective response that supports and protects them — a key step in preventing avoidable damage to reputation and potential litigation claims.

To recover from the blow of a breach, organisations must demonstrate a well-considered, fully resourced and professionally delivered response in order to provide an outstanding customer experience, whatever the circumstances.

Dominic Cockram, Partner, Customer Breach Support

Did you find this useful?