In one of our recent GDPR updates we reviewed the impact which the GDPR would have on data processors. As explained in that update, data processors will see a significant shift in their responsibilities under data protection laws after the introduction of the GDPR.
When we refer to a "data processor" we mean a party which deals with or stores personal information on your behalf. Some common examples are service providers providing outsourced services such as IT/cloud facilities, accounting services, marketing, payroll and confidential waste disposal.
At present, data protection obligations rest with data controllers by law. No direct obligations are placed on data processors under current legislation. At the very most current legislation provides that data processing arrangements must be governed by a written contract requiring: a) the data processor to act on the data controller's instructions; and b) the data processor to maintain appropriate technical security and organisational measure to ensure the security of the data.
But a new day is dawning! Under the GDPR data processors will have direct obligations. You can read about these in our recent update on "Data Processors and GDPR".
So, when considering engaging a data processor, what should you be thinking about? Well, there are two key matters to consider: the contract with your proposed data processor and the technical and organisational measures your proposed data processor intends to put in place to protect your personal information. We will consider each in turn.
Agreements with Data Processors
The obligation to have a contract with a data processor remains part of the new data protection framework. However, the new rules require the inclusion of additional obligations on data processors.
In addition to the current obligations to act on the data controller's instructions and to maintain appropriate technical security and organisational measures, the GDPR will require data processing agreements to oblige data processors to:
- impose confidentiality obligations on all personnel processing relevant data for the data processor;
- abide by the GDPR's rules regarding the appointment of sub-processors (essentially processors cannot appoint sub-processors without a data controller' prior consent, thus ensuring the data controller has a full understanding of the way in which their data is processed);
- implement procedures to assist the data controller to comply with the rights of data subjects;
- assist the data controller in complying with other regulatory requirements, such as obtaining approval from relevant data protection authorities;
- return or destroy personal data at the end of the data processing relationship (at the data controller's choice and where to do so would not contravene other retention laws); and
- provide the data controller with all information required to demonstrate compliance with the GDPR – this may involve including audit or inspection provisions.
You must ensure that once the GDPR is in force any arrangement which you enter into with a data processor is on the basis of a robust written data processing contract which contains, as a minimum, the obligations outlined above.
You may find that the terms you currently use in your data processing agreements already include some or all of these provisions. This is because these obligations represent good practice. However, many data processing agreements will need to be updated in order to comply with GDPR and this is likely to result in more detailed negotiations with data processors when agreeing data processing arrangements.
Due diligence on Data Processors
Another new aspect of the GDPR is that, before engaging a data processor, a data controller must be confident that the relevant data processor is able to confirm that it has in place measures and procedures to ensure compliance. In practice, this is likely to result in data controllers carrying out increased due diligence when engaging a new data processor or reappointing an existing one.
As a minimum you would expect a data processor to confirm their compliance with the GDPR but you may decide, particularly where data processors are handling sensitive data or large amounts of data, to request further information about the data processor to provide you with sufficient confidence. For example, you may wish to ask for evidence of security procedures and protocols, data protection policies and procedures or evidence of staff training and commitment to data protection.
In any event, we certainly expect data controllers to have a greater awareness of their data processor's activities and the way in which their data is handled and protected while in the hands of their data processors.
How can you prepare for GDPR?
With an understanding of the way in which relationships with data processors will be affected by GDPR you can start to review your current data processing arrangements with a view to making any changes required at an early stage.
The first step is to identify relevant data processors with which you already engage and to assess whether your relationship with those parties is compliant with current legislation – i.e. do you have an agreement in place with those parties and does it comply with current standards?
The next step is to assess what changes you need to make to ensure your compliance with the current legislation – i.e. if you do not already have agreements in place with data processors, you should take action as soon as possible.
Going forward, prior to the GDPR coming into effect, you will need to update any data processing agreements which do not already contain the new obligations. You should also update your standard contracts to ensure these are suitable for engaging data processors after the GDPR comes into effect. You may also want to consider what due diligence you will undertake on new and existing data processors and the way in which you will manage this process and ongoing reviews.
If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact a member of the MacRoberts Compliance and Regulatory team for expert advice tailored to your needs and/or sign up to our newsletter to keep up to date with the latest GDPR news and developments.
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.