In this next bulletin of our series on the General Data Protection Regulation (GDPR), we discuss the changed role of "Data Processors".
The GDPR is set to come into force on 25 May 2018 and will result in increased obligations on, and significant changes for, Data Processors.
Who is the Data Processor and Data Controller
The definitions in the GDPR of "Data Processors" (Processors) and "Data Controllers" (Controllers) are much the same as in the Data Protection Act 1998. In short the Controller says how and why data is processed whereas the Processor acts on the Controller's behalf to process the data. If you outsource part of your business operations to a third party, for example, a pay roll function, it is likely that your organisation will remain in charge of the information as Controller, with the third party contractor using that information only on your instructions as a Processor.
Obligations of a Processor
Processors will now have very specific obligations on them under GDPR and will be jointly and severally liable with the Controller for any breach. Processors are specifically obliged to ensure that they always act in accordance with the Controller's instructions (including the use of any further subcontractors); ensure that they have appropriate security measures in place; co-operate with the ICO and appoint a Data Protection Officer where appropriate; and notify the Controller without undue delay of any personal data breach.
Data Processing Agreements
Despite the increased responsibilities of Processors, Controllers are not relieved of obligations where a Processor is in place. Indeed the GDPR places further obligations on Controllers to ensure that they only use Processors providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing will meet the requirements of the GDPR. Before appointing a Processor, a contract must be in place setting out a description of the:
- scope, nature and purpose of processing;
- duration of the processing; and
- types of personal data and categories of data subjects.
In addition, the contract must set out specific obligations that the Processor:
- may only process personal data on the documented instructions of the Controller;
- must ensure that the personal data remains confidential;
- must keep the personal data secure and must assist the Controller with their security and data breach obligations, including notifying the Controller of any personal data breach;
- may only use a sub-processor with the written consent of the Controller;
- must assist the Controller to comply with requests from individuals exercising their rights to access, rectify, erase or object to the processing of their personal data (please see our May 2017 bulletin on rights of data subjects for further information);
- must assist the Controller should it need to carry out a privacy impact assessment;
- must, at the choice of the Controller, return or delete personal data at the end of the agreement;
- must make available to the Controller all information necessary to demonstrate compliance with the obligations of the GDPR and inform the Controller if, it considers the Controller's instructions would infringe the data protection law;
- shall remain responsible for any processing by a sub-processor but in any event must ensure it flows down these obligations to them.
Preparing for the change
Given the significant changes to the obligations of processors, the GDPR will impact all aspects of the processing relationship whether you are looking at this from the Controller or Processor point of view. The GDPR's increased emphasis on accountability and the ability to be able to demonstrate compliance will also impact on how Controllers appoint Processors.
It will be crucial to keep records documenting the decision process. The increased liability of Data Processors will also impact on the risks associated with processing personal data for both Controllers and Processors (see our April 2017 bulletin).
Accordingly, in the run up to May 2018 you need to consider reviewing all current data sharing agreements and updating the contracts to include the new data processor provisions and provide adequate protection for your organisation including the allocation of risk between the Controller and Processor.