Cyber Security Training & Software for Companies | MetaCompliance


Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters



Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 

Financial Services

Creating A First Line Of Defence For Financial Service Organisations


A Go-To Security Awareness Solution For Governments


A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives



From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

MetaCompliance | Cyber Security Training & Software for Employees


With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

Security Awareness Automation

Easily Automate Security Awareness Training, Phishing And Policies In Minutes


Stay informed about cyber awareness training topics and mitigate risk in your organisation.

What is a Data Processor under GDPR?

title 3

about the author

Share this post

It’s hard to believe that we’re approaching the one Year Anniversary of the GDPR. After a two-year transition period, the GDPR came into force on the 25th May 2018, and completely transformed how organisations approach data privacy.

The legislation was introduced to reflect our increasingly digitalised world and recognise the rights of individuals with regard to the use of their personal data.

Many organisations have spent a lot of time and effort ensuring they are compliant with the new legislation, however for others, it has been a more difficult and arduous journey. Demonstrating compliance with the GDPR is an ongoing process and there are many aspects of the legislation that still require clarification and can prove confusing for organisations.

Two terms that we hear constantly in relation to GDPR are ‘Data Controllers’ and Data Processors’. It’s important to understand the distinction between these two terms as it will determine your responsibilities under the legislation.

The distinction between a Data Controller and a Data Processor can have significant real-world consequences. If an organisation is involved in data processing, it’s vital they establish roles and responsibilities at an early stage to avoid any confusion should a data breach occur. This will help ensure that there are no gaps in responsibilities and organisations can deal with these issues efficiently and effectively.

What is personal data?

If your organisation processes personal data, then the GDPR applies to you. The EU defines ‘Personal Data’ as any information that can be used to directly or indirectly to identify an individual (data subject). This will include everything from a name, email address, IP address and images. It also includes sensitive personal data such as biometric data or genetic data which could be processed to identify an individual.

Are you a ‘Data Controller’ or ‘Data Processor’?

1 6
1 6


If your organisation determines the purposes and manner in which personal data is processed, then it’s considered to be a Data Controller.

Date Controllers play a key role in GDPR compliance because of the customer and employee personal data that they retain and collect.

Data Controller duties include:

  • Facilitating increased transparency of privacy data handling relative to Data Subject requests
  • Ensuring that Data Subjects are handled within the timelines defined by the GDPR
  • Carrying out privacy assessments and appointing DPOs
  • Notifying Supervisory Authorities of data breaches within 72 hours of breach discovery
  • Monitoring and responding to changes in compliance mandates
  • Replacing identifying data fields with pseudonyms and encryption of personal data
  • Maintaining records of personal data processing via a Personal Data Register
  • Managing and governing third party interaction relative to the processing and handling of personal data

Who is a Data Processor and what are their responsibilities?

Data processor responsibilities

If a person, organisation, agency or other body acts on behalf of a Data Controller, then they are considered to be a Data Processor.

Examples of a Data Processor include:

  • An outside agency (Ex: a company responsible for disposing of client information)
  • A cloud provider that stores personal data
  • Any service provider acting on your behalf with access to personal data of a customer or employee

Read also the Dummies guide to ePrivacy Regulation

Data Processor duties include:

  • Deciding what IT systems or other methods to use to collect personal data
  • How to store personal data
  • Security of the data
  • Means used to transfer data from one organisation to another
  • Means used to retrieve personal data about certain individuals
  • Ensuring the method behind the retention schedule is adhered to
  • Means used to delete/dispose of data

Data Processors are subject to several new obligations under the GDPR, which include maintaining measures that allocate adequate levels of security for personal data relative to the potential risk.

Data processors are required to abide by the instructions of Data Controllers unless these instructions conflict with the GDPR itself.

Can a Data Controller also be a Data Processor?

There are certain grey areas where situations may overlap making it difficult to distinguish if you are a Data Controller or Data Processor. However, the ICO is clear in its advice stating: “An organisation cannot be both data controller and processor for the same data processing activity; it must be one or the other.

This means that in order to establish which organisation has data protection responsibility for which data, it is necessary to look at the processing in question, as well as the organisations involved. It is also important that, as far as is practicable, systems and procedures distinguish between the organisation’s ‘own’ data and the data it processes on behalf of the other data.”

Learn also what is valid GDPR consent

To ensure full GDPR compliance, organisations will need to clearly define roles and responsibilities to avoid falling foul of the legislation. If you are in anyway unsure where your organisation stands, you should consult legal advice for further clarification.

MetaPrivacy has been designed to provide the best practice approach to data privacy compliance. Contact us for further information on how we can help your organisation improve its compliance structure.

DISCLAIMER: The content and opinions within this blog are for information purposes only. They are not intended to constitute legal or other professional advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances, the Data Protection Act, or any other current or future legislation. MetaCompliance shall accept no responsibility for any errors, omissions or misleading statements, or for any loss which may arise from reliance on materials contained within this blog.

Other Articles on Cyber Security Awareness Training You Might Find Interesting