processor

In privacy and data protection contexts relevant to industrial and regulated environments, a processor commonly refers to an organization or individual that processes personal data on behalf of another party that determines why that data is processed.

Core definition

A processor is an entity that:

• Processes personal data only on documented instructions from another party that decides the purposes and main means of processing (often called a controller or similar role in various frameworks).
• Uses technical and organizational measures to handle the data, such as collecting, storing, transmitting, analyzing, or deleting it.
• Does not independently decide new purposes for the data outside the instructions it receives.

In industrial settings, a processor could be, for example, a cloud provider hosting production and quality data that includes personal data, an MES or ERP service provider operating a managed service, or an analytics vendor processing sensor and operator data for a manufacturer.

Operational meaning in manufacturing and OT/IT

Within manufacturing and industrial operations, the processor role appears in scenarios such as:

• Hosted MES, historian, or quality systems where a service provider processes operator IDs, batch records, or deviation data on behalf of a plant or company.
• Third-party monitoring, predictive maintenance, or OT security platforms that ingest log files, badge IDs, or IP information from production networks.
• External HR, training, or access management tools integrated with shop-floor systems that handle personnel identifiers and access logs.

Contracts and data processing agreements typically define what the processor is allowed to do with the data, retention expectations, sub-processing, cross-border transfers, and security measures. The organization that decides the purposes for using the data is responsible for ensuring that the processor is appropriately selected and managed.

Relation to NIST 800-53 and GDPR

Under GDPR, a processor is specifically defined as an entity that processes personal data on behalf of the controller. NIST SP 800-53 does not use the same legal terminology, but it provides control families that can be used by processors and controllers alike to manage privacy and security risks.

In industrial environments, a service provider acting as a processor might implement NIST 800-53 security and privacy controls to support a manufacturer that has obligations under GDPR or similar privacy laws. The legal role (processor vs controller) comes from the applicable law and contracts, while frameworks such as NIST 800-53 help organize supporting controls.

Common confusion

• Processor vs controller: The controller (or similar role under other laws) decides the purposes and main means of processing. The processor follows those instructions and does not repurpose the data independently.
• Processor vs joint controller or co-operator: If two organizations jointly decide purposes and essential means, they may both be considered controllers under some laws, not a controller and processor.
• Processor (privacy role) vs CPU/processing hardware: In industrial automation, “processor” can also mean a CPU, PLC processor, or microprocessor that executes instructions. In privacy and compliance discussions, the term almost always refers to the data protection role, not the hardware component.

Secondary meaning in industrial systems

Separately from privacy terminology, in OT and IT engineering a processor can mean the hardware or logical component that executes instructions:

• A central processing unit (CPU) in a server hosting an MES or historian.
• The processing unit in a PLC, DCS controller, or embedded device on the shop floor.

In this technical sense, a processor is part of the computing infrastructure and is not a legal role in data protection.