Processor Instruction Record
A Processor Instruction Record logs the specific directions your organization sends to service providers that process personal data on your behalf. While a contract (such as a DPA) sets baseline obligations, day-to-day operations often require clear, time-stamped instructions—for example: pausing processing for a legal hold, deleting a defined dataset following a rights request, correcting data, restricting access, or applying a security change. This log captures the instruction, scope, owner, deadline, acknowledgement, and completion evidence so you can demonstrate that processing is performed under your direction and that exceptions or changes are governed through a documented workflow. In audits or investigations, the record provides a practical trail showing how vendor processing was directed, tracked, and verified over time.
Instructions must clearly define the subject matter, duration, nature, and purpose of processing, the type of personal data, categories of data subjects, and the specific security measures required. Organizations must also provide specific data processor instructions for data erasure, return, and assistance with data subject rights requests.
To ensure processor instruction compliance, instructions should be documented in a written format (digital or physical) within a centralized processor direction record. This includes maintaining logs of emails, ticketing system entries, or formal change orders that are time-stamped and acknowledged by the vendor.
Processor instruction documentation requires sufficient granularity to avoid ambiguity. It should specify exactly which data sets are in scope, the precise processing operations permitted (e.g., 'storage only' vs. 'analytics'), and the technical standards for security and transfer mechanisms.
Organizations can ensure adherence by incorporating audit rights into the contract, requiring regular confirmations of compliance, reviewing processing instruction record logs, and mandating that the processor obtains written approval before deviating from the agreed instructions or engaging sub-processors.
If a processor deviates from documented instructions, it typically constitutes a breach of contract and may be considered a security incident. The organization must take immediate steps to mitigate the risk, potentially suspending data transfers, and assessing whether the deviation resulted in unauthorized processing or a data breach.
Processor instruction management involves establishing a formal change management process. Any updates to instructions (e.g., new processing purposes) must be formally communicated, documented in the log with a new version number, and acknowledged by the processor to maintain an accurate audit trail.
A processor instruction audit involves sampling the instruction logs and verifying against the processor's actual activities and system configurations. Auditors check if instructions regarding data deletion or security patches were executed within the required timelines and if the processor provided evidence of completion.
If a data processor direction conflicts with applicable laws, the processor is usually required (by contract and law) to immediately inform the organization before processing. The instruction should then be paused and legally reviewed to ensure the data processing instructions are amended to align with regulatory requirements.
ICO (UK GDPR): Contracts
Information Commissioner's Office (ICO)
ICO: Contracts and liabilities between controllers and processors
Information Commissioner's Office (ICO)
EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR (Final)
European Data Protection Board (EDPB)
GDPR (Regulation (EU) 2016/679) — Official text (EUR-Lex)
European Parliament
NIST SP 800-53 Rev. 5 (Update 1): Security and Privacy Controls for Information Systems and Organizations
National Institute of Standards and Technology (NIST)
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-13 | WatchDog Security GRC Wiki Team | Initial publication |
