Employees, the insider threat, and the controller-processor relationship

Article 32(4) concerns employees and other workers under the authority of the controller or processor. Read with Article 5(1)(f) ('integrity and confidentiality') and Article 28(3)(b) (workers under processors owe a duty of confidentiality), it effectively creates a duty of confidence. Workers must act within their instructions and must not misuse data (e.g. by unauthorised disclosure or copying). This risk is the insider threat, to be managed with robust policies, role-based and regular training, clear consequences, and proportionate monitoring that avoids workplace privacy violations.

Article 28 governs the whole controller-processor relationship and the supply chain, not just security. It limits controllers to using processors who provide sufficient guarantees about appropriate technical and organisational measures. 'Sufficient guarantees' means more than a contract - it requires proof of competence via assurance: inspections, third-party assessments, validated certifications, and audits (Article 28(3)(h)), both before and after contracting. If the controller cannot establish proof, it must walk away or be in automatic breach of Article 28.

A processor may only act on the controller's instructions. By Article 28(10), if it steps outside its instructions it risks being defined as a controller, with all the attendant obligations. New under the GDPR is the processor's duty to assist the controller with compliance and risk reduction, including assisting with breach notification (Article 28(3)(f)) - requiring close working between the two on incident detection and response.