Data Processor Responsibilities Under GDPR?
The GDPR will broaden the scope of data protection law by introducing new obligations on data processors, which will in turn affect the data controller-data processor relationship.
Who is the data controller?
A data controller is a natural or legal person which determines the purposes and means of processing personal data.
Who is the data processor?
A data processor is a natural or legal person which processes personal data on behalf of the controller. For example, if you outsource certain services (such as IT or cloud services), you are the data controller and the outsourced service provider is the data processor.
Why does this matter?
Current data protection law generally only imposes obligations on data controllers, making the controllers liable for compliance by their processors. Data processors are only liable to the extent provided in their contracts with the controllers.
With the tougher regime coming into force on 25 May 2018, the dynamics between processor and controller are going to change, with the processor becoming liable for their own compliance. The risk of enforcement action and penalties means data processors will want to make sure that their obligations are clearly set out in their standard terms of business. In addition, existing agreements with controllers may need to be renegotiated.
What are the changes?
Under the GDPR:
- Appointment of processors: All data processing agreements must state that the processor must: only act on the controller’s documented instructions; ensure the security of the personal data it processes; and comply with GDPR restrictions on sub-contracting, among other requirements;
- Failure to comply with the controller’s instructions: Any time a processor processes personal data for its own purposes (as opposed to the controller’s purposes), the processor will become a controller and will therefore be subject to the full compliance obligations of a controller in respect of that processing;
- Reporting data breaches: Data processors must notify their controllers of a data breach ‘without undue delay’. Whilst this may be burdensome to processors, controllers will find it reassuring that any breach will be reported swiftly. The GDPR does not refer to the extent of the data controller’s involvement in managing and remedying a breach reported by the processor, so this remains to be seen;
- Data security: Data processors must implement technical and organisational measures to keep personal data secure. This includes data encryption, back up facilities and security testing; and
- Cooperation with Data Protection Authorities: This obligation, which currently relates to controllers only, will be extended to processors as well.
What are the consequences of non-compliance?
The liability of data processors is currently limited to their contractual obligations towards data controllers.
Under the GDPR, data processors will be directly accountable to data subjects, who will be able to take action against them. In addition, processors will be contractually liable to the controller as well as open to sanctions by the relevant data protection regulator.
A processor in breach of its obligations under the GDPR may be subject to a fine of up to €20 million or 4% of annual global turnover, whichever is greater.
Since processors will be held accountable for their own breaches, controllers may be able to avoid liability for these breaches unless they are also responsible for them.
What does this mean for my organisation?
Because of their increased accountability under the GDPR, processors are likely to incur higher costs in complying with their new obligations. They may seek to pass these costs on to their customers.
In addition, contract negotiations between the controller and processor are likely to become more complex as the parties seek to indemnify against risk for data protection compliance.
It is therefore important for both processors and controllers to understand the upcoming changes and their legal and practical implications.
How can my organisation prepare for these changes?
With May 2018 inching closer, controllers engaging processors will need to understand these changes and the potential costs that they may incur in negotiating future data processing agreements.
Processors will need to understand their new responsibilities under the GDPR, review their measures for keeping data secure and ensure they have appropriate mechanisms in place for identifying and reporting any breaches to their controllers.
Finally, organisations should assess whether any of their group companies act as processors. Whether these group companies are EU-based is immaterial, as the GDPR will apply to both EU companies and non-EU companies which process the data of individuals based in the EU.
To speak to someone in our data protection team about these changes and how they may affect your organisation, please email GDPR@bdb-law.co.uk
1 August 2017