Data Protection Day—data processors and the GDPR
IP & IT analysis: Data Protection Day aims to raise awareness as to how data is used and explores the latest developments in data protection regulation. As part of our Data Protection Day series, Hazel Grant, partner and head of privacy at Fieldfisher, along with senior associates Kate Pickering and Amy Lambert, considers the area of data processors in the private sector in light of the forthcoming EU General Data Protection Regulation (GDPR).
How do the new rules affect data processors?
The GDPR expands the scope of the application of EU data protection law. For the first time, data processors (ie entities who process personal data on behalf of a data controller) will be obliged to comply with particular data protection requirements which previously only applied to data controllers (ie entities who determine why and how personal data are processed).
How does this differ from the current regime?
At present, the Data Protection Directive 95/46/EC (the Data Protection Directive) only imposes statutory obligations on controllers (ie only the controller is held liable for data protection compliance, not the processor).
Processors are generally only subject to obligations that the controller imposes on them by way of contract. For example, in a service provision scenario, the customer (the controller) will flow down data protection responsibilities and obligations to the service provider (the processor) within the service contract, to protect itself against unnecessary data protection compliance risk.
In contrast, the GDPR introduces direct statutory obligations on processors and severe sanctions for compliance failures. This is a significant culture change for processors. These obligations include:
- accountability—processors must now maintain written records regarding all categories of personal data processing activities carried out on behalf of a controller
- co-operation and consultation—processors must co-operate, on request, with the supervisory authority in the performance of its tasks. The processor, prior to processing personal data, may need to consult the supervisory authority in certain cases to ensure effective protection of the rights and freedoms of data subjects
- sub-processors—processors cannot enlist another processor or replace a processor without the authorisation of the controller
- data security—processors must have appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Processors will need a comprehensive understanding of their systems, the type of data it processes (ie is the data sensitive?) if it engages sub-processors and must implement necessary technical and organisational measures to ensure data integrity and security
- data breach notifications and data subjects—processors must notify the controller without undue delay upon becoming aware of a data breach. Data subjects will also be able to claim compensation for unlawful processing of their personal information
- sanctions—non-compliant businesses risk fines of up to 4% of global annual turnover
- data protection officers (DPOs)—in certain circumstances processors will now have to designate a DPO (eg where the processing is carried out by a public authority, the processing requires regular and systematic monitoring of data subjects on a large scale, or the core activities consist in processing large scale of special categories of personal data) What impact will these new rules have on businesses?
The liability profile for businesses that act as processors will increase significantly once the GDPR comes into effect. Processors will need to understand their statutory obligations and take the necessary steps to comply. Under the GDPR, processors (such as technology vendors, datacentres and cloud service providers) established in the EU will be subject to direct statutory obligations, rather than just the obligations imposed on them by contract. As such, it is likely we will see harder negotiations between controllers and processors, and more detailed contracts as the parties battle it out to agree their respective proportion of the liability risk. Controllers are also likely to increase the level of due diligence prior to contracting.
What steps should businesses take now?
While there is at least two years before the GDPR comes into force, given the breadth and depth of change in the substantive requirements, this isn’t really very long. A lot of fact finding, careful thinking, planning and operational implementation will be required to be GDPR ready in 24 months. Businesses should assess whether any of its EU-based group companies act as processors, as these companies will be captured under the GDPR.
Non-EU companies that act as processors will now also be captured, and will have direct statutory obligations for their activities as processors, if they undertake processing activities which are related to:
- the offering of goods or services to data subjects within the EU
- monitoring the behavior of European data subjects—as far as their behaviour takes place within the EU
If either of these scenarios apply you should assess the level of awareness of and readiness for compliance with EU data protection law and create a road map for transitioning to compliance with the GDPR. If you are a multinational business with EU and non-EU affiliates which will (or may) be caught by the GDPR, you will also need to consider intra-group relationships, how you position your group companies and how you structure your intra¬group data transfers.
Finally, businesses will have to comply with new documentation requirements. Smart businesses should start preparing their data breach processes and auditing their data processing activities and their lists of sub-processors now to ensure that they can adequately document their activities before the GDPR bites.
This article was first published by LexisNexis on 27 January 2016.