GDPR compliance – where does the responsibility lie?

The natural assumption ahead of GDPR implementation is that businesses and service providers have, or are, taking steps to ensure that their systems and processes are compliant. But in the case of organisations that use external service providers for data storage and management, is there an assumption that their systems will automatically be ‘GDPR-ready’? If so, what are the responsibilities of both organisation and service provider to ensure GDPR compliance, and what steps can be implemented to ensure that these are clearly defined and implemented?

The responsibility of the business

Preparing systems to be GDPR compliant is not a small task. It starts with making sure the decision makers in the organisation are aware of the legislation change. After that, just a few of the steps to compliance, as suggested by the Information Commissioner’s Office (ICO), include:

·      Analysing and documenting the type of personal data the business holds.

·      Checking procedures to make sure they cover all the rights individuals have.

·      Identifying the lawful basis for processing activity.

·      Reviewing consent procedures.

·      Implementing procedures to detect, report and investigate personal data breaches.

This may seem like a small list, but in reality implementing all of these steps can be daunting. For a business that stores its own data, it may be the ideal time to consider moving to an infrastructure delivered by a provider that has GDPR compliance expertise. The advantage can be two-fold: taking the storage function externally can free up a lot of space and resources internally, while also reducing the in-house time, resources and budget needed to make systems GDPR compliant.

It is however important that the service provider’s systems meet GDPR requirements, and they can demonstrate that they comply with the legislation, particularly to a company outsourcing for the first time. If in doubt, always ask.

It’s also critical to understand where providers are storing data. The data centres may reside in the UK or EU, but the contract may prevent data being transferred between data centres outside of the EU. An organisation may choose to work with a provider outside of the EU, but if the data relates to a EU citizen, safeguards and measures must be in place to meet the GDPR standards.

Carrying out an assessment to determine the level of risk that could be posed to individuals should data be compromised, will help a company to understand if further measures need to be implemented to protect that data.

Last but not least, a business that handles large amounts of personal information may need to appoint a Data Protection Officer (DPO). Companies involved in large-scale monitoring, CCTV recording or profiling will certainly need to consider this.

The responsibility of the service provider

GDPR marks a change in the balance of responsibility between data controller and data processor. Under the new regulations, data processors – such as IT and cloud hosting providers – will have more responsibility to better protect data. It’s therefore important to question a cloud provider or potential new supplier more thoroughly about whether they are compliant, be reassured and shown that data is in the hands of a GDPR compliant service provider.

When drawing up a contract, whether new or a repeat service, it’s now more important than ever to look at the small print. External providers need to include and clearly define capabilities and coverage of GDPR compliance. For example, if you haven’t yet started the compliance process, discuss and agree on whether the provider can and will undertake it as part of the service. Don’t assume that it will automatically be undertaken when it’s not in the contract, because this could be disastrous for both parties. 

GDPR is coming. It is not a recommended code of practice but a legal requirement. Businesses and service providers have an obligation to ensure compliance before May 25th next year, or face fines of up to 4% of annual turnover, as well as the possibility of bans on trading in EU locations if providers do not comply with the GDPR. Compliance can be a daunting task, but burying one’s head in the sand in the hopes it will go away is not the answer. Find reliable technology partners who have experts on hand to answer questions and provide reassurance that your organisation won’t be in the firing line when legislation becomes official.

By Paul Mills, group sales director, Six Degrees Group


European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.