Philip James: Licenced to process?

Under the Data Protection Act, data controllers (those who decide what to do with personal data) are responsible for complying with the Act, whereas data processors (those that only process data on behalf of a data controller) have no direct statutory obligations or responsibilities.

The only mention of data processors is in relation to the Seventh Principle of the Act, which requires data controllers to:

  • ensure appropriate security measures are taken to protect personal data (as are commensurate with that data);
  • be vigilant to ensure that only trustworthy and reliable staff have access to personal data;
  • conduct due diligence to ensure that any data processor which you appoint meets the same standards outline above; and
  • have a written contract with any data processor requiring that data processor to comply with your instructions only (and no one else’s) in relation to that data and keep it secure (as well as abiding by the principles outlined above).

Even though you may have a breach of contract claim if your appointed data processor does not comply with its contractual duties, it is your door that the Information Commissioner will be knocking on (as the data controller) if personal data is mislaid. And it is also you who may be fined or face criminal sanction – not the data processor working on your behalf.

Yet most of the high-profile data losses and security breaches in recent times have occurred while data has been in the hands of data processors, such as the Financial Services Authority” after “enforcement authorities. So why aren’t data processors also responsible under the Act for keeping personal data secure?

Making data processors responsible for compliance could enable the Information Commissioner’s Office (and other enforcement authorities) to introduce some sort of licensing system, under which companies who wish to offer their services as data processors are recognised as a safe pair of hands. This, in turn, may enable the European Commission to develop a more sophisticated system of protecting personal data.

In other words, if we can entrust our personal data to the hands of an experienced few, more stringently regulated, data processors, we may achieve greater control and security in relation to the way personal data is handled.

Philip James, senior associate, media, brands and technology, Lewis Silkin

Latest from Marketing Week


Access Marketing Week’s wealth of insight, analysis and opinion that will help you do your job better.

Register and receive the best content from the only UK title 100% dedicated to serving marketers' needs.

We’ll ask you just a few questions about what you do and where you work. The more we know about our visitors, the better and more relevant content we can provide for them. And, yes, knowing our audience better helps us find commercial partners too. Don't worry, we won't share your information with other parties, unless you give us permission to do so.

Register now


Our award winning editorial team (PPA Digital Brand of the Year) ask the big questions about the biggest issues on everything from strategy through to execution to help you navigate the fast moving modern marketing landscape.


From the opportunities and challenges of emerging technology to the need for greater effectiveness, from the challenge of measurement to building a marketing team fit for the future, we are your guide.


Information, inspiration and advice from the marketing world and beyond that will help you develop as a marketer and as a leader.

Having problems?

Contact us on +44 (0)20 7292 3703 or email

If you are looking for our Jobs site, please click here