24 October 2017
GDPR: Seven things to do if you’re a digital data processor
In case you’ve missed it, there’s new data protection rules coming next May thanks to the EU General Data Protection Regulation (GDPR), that shake up the current data protection regime in the UK. Whilst the UK is leaving the EU, the GDPR comes into force across the whole of Europe next year, before Brexit and even after Brexit will be part of UK law thanks to a new Data Protection Bill currently being debated in Parliament, so there’s no escaping its reach.
The GDPR makes several significant changes to the way businesses process “personal data”, but this article is going to focus on the new requirements facing those seen as data processors and their relationship with the data controller.
GDPR, Controllers and Processors
By definition, data processors are those organisations that process data on the instruction of a data controller (the organisation that collected the data in the first place). Under previous legislation (Data Protection Act 1998) there were minimal rules (mainly about security of data) in place regarding the controller-processor relationship and the buck stopped with the data controller if there was a breach of the law. Under the GDPR however, that’s all changed.
The GDPR requires (see Chapter IV) much stricter controls on the controller-processor relationship and new responsibilities for processors. Essentially, the new rules mean:
- The controller needs to ensure that the processing carried out by the processor is GDPR compliant and enables the controller to maintain its own compliance
- The controller-processor relationship must be governed by a comprehensive list of contractual terms (as set out in Article 28)
- New liabilities and responsibilities for data processors
In practice these new rules mean that processors are likely to be asked by their clients to prove they are GDPR compliant and new contracts will be drafted to address the contractual obligations. Furthermore, those who are, by definition, data processors will need to make sure they meet the requirements of the GDPR, specifically relating to them, including:
- only acting on the documented instructions of the controller
- not to use a sub-processor without consent from the controller
- to co-operate with the regulator (i.e. the Information Commissioner’s Office (ICO) in the UK)
- to keep records of processing activities (under certain circumstances)
- to notify the data controller if a breach occurs
- appointing a Data Protection Officer (under certain circumstances)
- appoint an EU representative (when applicable)
Failure to adhere to these rules can lead to legal remedy such as fines and legal action.
Who are Processors?
Traditionally businesses tend to think of businesses like outsourced marketing companies, HR consultants or payroll providers as the kind of third parties considered as data processors, but in reality it’s any third party that processes data on behalf of the data controller and that means, in an increasingly digital world, hosting providers, cloud service providers, software providers (SaaS), etc.; it also means that any software developers, web developers, app developers who provide a platform which includes the processing of personal data for their clients are also caught within the definition of data processors if they’re facilitating the hosting.
Exactly what this means will really depend on each business and the services they provide, but essentially if your business provides a service that allows the processing of personal data for your clients then you are a data processor and these new GDPR rules apply to your business.
With the deadline for compliance being 25th May 2018, when the GDPR becomes law across Europe, time is tight in terms of preparing your business for compliance, but the following steps should help you on the road to compliance by the deadline.
7 practical steps to take
- Prepare your business for the GDPR by understanding what it means for your business and determine if you fall within the definition of a data processor. You need to decide whether your service or the service you provide processes data on behalf of your clients and remember that processing includes everything from storage to using personal data.
- Audit your business to understand what data, systems and policies you have in place that make you GDPR compliant and what gaps in compliance you have. You’ll need to determine what needs changing and put a plan of action in place to ensure you meet the compliance deadline, bearing in mind the regulatory duties the GDPR imposes on data processors.
- Even if you don’t need to document your processing activities (i.e. you don’t meet the requirements set out in the GDPR) it’s worthwhile documenting as much as possible even if it’s part of a general data protection policy for your business. Having documentation in place will help show you are taking data protection seriously which is a great positive for your customers but also can be helpful should you ever need to deal with the ICO.
- Prepare a GDPR statement which you can provide to your clients and potential clients. This statement should provide all the reasons your service is GDPR compliant and how it allows the customer to be GDPR compliant. Having a statement ready will pre-empt any enquiries you may get from your customers.
- Consider what the best way is for you to implement the contractual requirements of the GDPR between yourselves and your customers. In practice this will depend on how you manage the contractual relationship now – if generally your clients provide a contract for you to sign you can expect to receive updated contracts from them anytime from now until May next year; if the contractual relationship is via your terms of service then you need to consider how your T&Cs can be updated to take on board the contractual obligations now needed between you and your customers.
- Make sure everyone across your business have at least a basic understanding of data protection compliance. If you train them and/or provide GDPR related training materials it will not only help with your own compliance but also enable your staff to understand what role they play in data protection compliance.
- Make sure you continue to maintain your compliance. Data protection is not a one-off exercise and you will need maintain compliance and ensure you keep up to date in all developments that impact the UK’s data protection regime. As well as the GDPR, there will be a new Data Protection Act, Brexit, ICO and EU guidance as well as potential precedents set across the EU that could impact on your ongoing data protection compliance.
When it comes to data protection compliance there’s a lot to think about. The GDPR introduces new responsibilities on organisations that process data on behalf of their customers as well as requiring data controllers to ensure their processors are GDPR compliant.
Time until the GDPR deadline is running out but provided you put in place a plan of action to meet your compliance requirements you should be able to make that deadline easily.
About the author
This guest post has been written by Mark Gracey, founder of the Flavourfy Digital consultancy and the Digital Compliance Hub, an online resource to help businesses meet their digital regulatory obligations including GDPR compliance, privacy and marketing compliance and data security.