In case you’ve missed it, there’s new data protection rules coming next May thanks to the EU General Data Protection Regulation (GDPR), that shake up the current data protection regime in the UK. Whilst the UK is leaving the EU, the GDPR comes into force across the whole of Europe next year, before Brexit and even after Brexit will be part of UK law thanks to a new Data Protection Bill currently being debated in Parliament, so there’s no escaping its reach.
The GDPR makes several significant changes to the way businesses process “personal data”, but this article is going to focus on the new requirements facing those seen as data processors and their relationship with the data controller.
By definition, data processors are those organisations that process data on the instruction of a data controller (the organisation that collected the data in the first place). Under previous legislation (Data Protection Act 1998) there were minimal rules (mainly about security of data) in place regarding the controller-processor relationship and the buck stopped with the data controller if there was a breach of the law. Under the GDPR however, that’s all changed.
The GDPR requires (see Chapter IV) much stricter controls on the controller-processor relationship and new responsibilities for processors. Essentially, the new rules mean:
In practice these new rules mean that processors are likely to be asked by their clients to prove they are GDPR compliant and new contracts will be drafted to address the contractual obligations. Furthermore, those who are, by definition, data processors will need to make sure they meet the requirements of the GDPR, specifically relating to them, including:
Failure to adhere to these rules can lead to legal remedy such as fines and legal action.
Traditionally businesses tend to think of businesses like outsourced marketing companies, HR consultants or payroll providers as the kind of third parties considered as data processors, but in reality it’s any third party that processes data on behalf of the data controller and that means, in an increasingly digital world, hosting providers, cloud service providers, software providers (SaaS), etc.; it also means that any software developers, web developers, app developers who provide a platform which includes the processing of personal data for their clients are also caught within the definition of data processors if they’re facilitating the hosting.
Exactly what this means will really depend on each business and the services they provide, but essentially if your business provides a service that allows the processing of personal data for your clients then you are a data processor and these new GDPR rules apply to your business.
With the deadline for compliance being 25th May 2018, when the GDPR becomes law across Europe, time is tight in terms of preparing your business for compliance, but the following steps should help you on the road to compliance by the deadline.
When it comes to data protection compliance there’s a lot to think about. The GDPR introduces new responsibilities on organisations that process data on behalf of their customers as well as requiring data controllers to ensure their processors are GDPR compliant.
Time until the GDPR deadline is running out but provided you put in place a plan of action to meet your compliance requirements you should be able to make that deadline easily.
This guest post has been written by Mark Gracey, founder of the Flavourfy Digital consultancy and the Digital Compliance Hub, an online resource to help businesses meet their digital regulatory obligations including GDPR compliance, privacy and marketing compliance and data security.