Are data processors ready for GDPR?


February 20th, 2018

For the first time, data processors have increased direct obligations.

Under the GDPR, the concepts of ‘controller’ and ‘processor’ have not changed, but both will find themselves to more strict rules and obligations. The GDPR differs from the current regime in that both controllers and processors are now held liable for data protection compliance, not just the controller.

First things first, it’s worth brushing up on the data protection language and explaining who is who. The term ‘controller’ is any entity that decides what data to collect and how it is used, while ‘processor’ is any entity that processes personal data on behalf of the controller, for instance payroll companies, data centres, accountants and cloud service providers.

It is noteworthy that with the upcoming GDPR legislation there is increased accountability for the processor; a fact which suggests that the contract between controllers and processors becomes even more important since the former needs to cover its potential liability by imposing additional obligations on processors to ensure compliance at all times.

Some of the key responsibilities of processors are:

1. Accountability: maintain a written record of activities carried out on behalf of the controller

2. Consultation: seek consultation for any risky processing activity that might not be able to mitigate

3. Data Security: ensure that technical and security measures are in place

4. Sub-processors: appointment or replacement of sub-processors without the authorisation of the controllers should be avoided

5. Data Breach Notifications: notify the controller on becoming aware of a possible breach without any delay

Some of the key responsibilities of controllers are:

1. Data Protection Policies: comply with the eight principles relating to processing personal data – lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity and confidentiality of personal data.

2. Due Diligence and Audit: confirm that data processors are committed to an obligation of confidentiality and compliance

3. Accountability and Governance: implement technical and organisational measures to ensure and demonstrate processing activities are compliant to GDPR requirements

4. Data Protection Officer: appoint a DPO to facilitate the compliance with GDPR

5. Codes of Conduct: use this code to understand how to adopt good practice and the responsibilities as a controllerAfter 25th May 2018, we expect a lot of finger-pointing so to avoid gaps in responsibilities and confusion in the event of a data breach, we advise you to do more diligence to the processes by which you select new processors and re-qualify your current relationships with your clients/suppliers/partners.

Under GDPR, you should only use those data processors that can provide guarantee and demonstrate compliance with the new regulations – you would not want to pay penalties for a lack of proper evaluation and appropriate contractual requirements. It is therefore essential to review the contracts you have in place and each party to understand its respective responsibilities and liabilities as the controller will no longer be able to take complete responsibility for any shortcomings of the processor (considering that all requirements are explicitly stated in their relevant contract). Data processors are now playing a more active role and it is in the interest of both parties to set out the requirements as clearly as possible.

Here’s what you need to do next if you are a processor: review existing contracts with controllers, what their policies say about sub-contractors, their data export arrangements, your current data security measures, understand your exact responsibilities and think about whether you need to appoint a Data Protection Officer and set up compliance accountability procedures.

On the other hand, if you are a controller here’s what you need to do next: review all your current data processing activities and written contracts with existing processors, understand your exact responsibilities, make sure processors are compliant and you give exact (documented) instructions.

Here at Tech Essence, we recognise the importance of the lead generation supply chain and how much impact GDPR will have on the data controller-data processor relationship, so we have developed a functionality where you can undertake all your due diligence on new and existing data processors in one central location – Marketing Town! On top of that, you can auto schedule monthly audits of each and every supplier to save time and ensure your processors are compliant and remain compliant at all times. If you would like to see the magic in action, please get in touch with Ricki on 07900 955751.