Data processors beware: GDPR holds you responsible too
Law firms are data controllers for the purposes of the GDPR, in force from 25 May, but will also have many dealings with data processors. Who are they and what new obligations will they come under?
With 25 May 2018 no longer just a distant thought, implementing the GDPR is, or should be, on the minds of all data controllers. Law firms are data controllers but will use the services of data processors and will also have clients who are data processors.
We look at the new obligations that the GDPR brings for data processors.
Who is the data controller and who is the data processor?
Data controller: “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed”.
Data processor: “in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller”.
Examples of data processors could include cloud storage providers, marketing software and database providers, payroll providers and even the company that shreds your confidential waste etc. The processor does not decide what happens to the data but merely acts on the controller’s instructions.
The Data Protection Act placed the legal responsibility for the processing of personal data with the data controller, albeit the requirement to have a contract in place gave the data processor contractual obligations. Crucially, if anything went wrong it was the controller who faced regulatory action from the ICO, and the controller who was fined – see Scottish Borders Council v ICO, where it was the processor who put the papers in the recycling bin, but the controller who remained responsible. The breach here was that Scottish Borders Council did not have an appropriate contract in place, though the fine was quashed on other grounds.
However, under the GDPR, processors now have their own obligations. If you are advising clients who are data processors you need to know that they could now be fined up to €10 million, or 2% of global turnover, if they are not compliant with these obligations. Read on to find out which areas of the GDPR apply to processors as well as controllers.
Although there was a requirement for controllers to have an appropriate contract in place under the DPA, the GDPR strengthens that obligation and provides a prescriptive list of what must be in that contract. Processors may have been asked to sign up to new terms and conditions by the controllers they provide services to, or they may have been asked about your compliance with the GDPR. Remember that because these terms will reflect the GDPR terms below, processors should be complying anyway not just because they are being asked to consider new contractual terms. Refusing to comply with new GDPR contractual terms and conditions may suggest that the processor is also in breach of the GDPR.
GDPR requirements for processors
Record of data processing
Data processors must keep a record of processing activities, including:
- the name of the processor and of each controller on whose behalf the processor is acting;
- the categories of processing that are being carried out;
- any transfers of data to third countries or international organisations and the suitable safeguards that have been put in place;
- a general description of the security measures in place, where possible.
This information must be made available to the Information Commissioner’s Office on request.
Data processors must implement appropriate technical and organisational measures to ensure data security. This is a risk based assessment and can include the consideration of pseudonymisation and encryption, regular reviews of system resilience, data availability, the ability to restore and recover lost data, and a process for regularly testing security. In order to assess this obligation the processor should know what data it is being asked to process so that it can assess the sensitivity and risks involved in the processing. This requires to be set out in the contract with the controller.
Notification of breaches
Processors must notify the data controller without undue delay (interpreted as “immediately” by the EU) on discovering a personal data breach. The definition of a personal data breach refers only to an incident where personal data are affected, and is not limited to simply unauthorised access, but also includes the accidental or unlawful loss or disclosure of data, as well as unauthorised or accidental destruction or alteration of the data.
Data protection officer
Certain processors will require to appoint a data protection officer (an individual who does not make decisions about processing but who monitors and advises on compliance):
- public authorities;
- those whose core activity consists of processing which requires regular and systematic monitoring of data subjects on a large scale; or
- those whose core activities involve processing special category data on a large scale.
There are restrictions on who the data protection officer can be. He or she cannot be the chief executive or head of IT, for example, as they are likely to make decisions that would conflict with the DPO’s advisory and monitoring role. This service can be outsourced.
Data processors cannot transfer personal data outside the EU or to an international organisation without there being arrangements in place to ensure an adequate level of protection in relation to that data. Some countries have been approved by the EU Commission, but if such an adequacy finding has not been made, you must put other measures in place. If the data is being transferred to the US, for example, then check that the organisation has signed up to the Privacy Shield.
Representative in the EU
Data processors established outside the EU, but who process the data of any person in the EU, are subject to the GDPR and must appoint a representative within one of the member states where the data subjects are located.
Data protection impact assessments
Although processors themselves are not obliged to conduct impact assessments, data controllers are if they embark on a new project and it is likely to result in a high risk to the rights and freedoms of individuals involved. Processors are required to assist the data controller in carrying out such risk assessments.
Remedies against processors
The GDPR provides that all data subjects will have the right to an effective judicial remedy against a processor as well as a controller, where they consider that their rights have been infringed as a result of any processing of their personal data which does not comply with the GDPR. This means that the processor can be directly accountable to the data subject.
The data subject will also be able to seek compensation for material and non-material damage suffered as result of an infringement of the GDPR from processors and controllers.
Processors can now also be fined by the ICO, as stated above.
Data controllers and contracts
Controllers must have a written contract in place with data processors and all contracts must include the following provisions:
- the processor must only process the data on the instructions of the controller;
- anyone processing data on the authority of the data processor must be subject to a commitment to confidentiality;
- appropriate security measures are in place;
- permission is sought from the data controller to appoint a sub-processor;
- the controller is advised of any new sub-processor if permission has been granted in general terms in advance;
- the processor must assist the controller to comply with data subjects’ rights and reporting obligations in relation to data breaches;
- to either return or delete the data once the processing has ended;
- an obligation to provide the data controller with information for audit/inspection purposes.
The contract must also set out information about the processing that is to take place, including what data are to be processed and why. Controllers are also obliged to carry out due diligence in relation to processors and to monitor compliance.
The above is a basic outline of the new obligations placed on data processors by the GDPR, and what you can expect from data controllers updating contracts. Some processors are also using the new GDPR obligations to demonstrate that they are a responsible data processor to reassure their clients, the data controllers, that they are a safe option post 25 May 2018.
Contracts are coming your way and it is essential that you take steps to commence implementation of the new GDPR requirements as soon as possible.
Laura Irvine is a partner and solicitor advocate with BTO solicitors email: firstname.lastname@example.org