The General Data Protection Regulation (GDPR) places data processors under direct regulatory responsibility for the first time, recognising their importance in the data supply chain. This will have a significant impact on the data controller-data processor relationship relating to the content of data processing contracts.
Under the GDPR, any data processing contracts that run beyond 25 May 2018 need to be drafted (or amended) to incorporate the expanded mandatory contractual clauses laid out by the GDPR. The second key change is the requirement to only use data processors that are able to demonstrate compliance with the GDPR.
Under existing data protection legislation, namely the Data Protection Act 1998, data processors can only process personal data under the documented instructions of the data controller, unless required otherwise by law. Under the GDPR, the mandatory contractual clauses are a lot more prescriptive and expand beyond the requirement to simply act on the data controller’s instructions.
All data processing contracts should clearly state the expectations of the data controller in terms of how the data will be processed. In turn, the data processor must not process the personal data outside the scope of the data controller’s instructions. If the processor does so, it may become a ‘data controller’ under the GDPR and subject therefore to additional legal requirements.
If the processing activities change, for example as the relationship progresses and new services are requested or procured from the data processor, the data processing agreement must be updated to reflect the data processing taking place. This can be managed by including an appropriate change control mechanism in the data processing agreement, which enables new data processing activities to be identified and appropriate contractual amendments made.
Obligation of confidentiality
Data processors must ensure that personnel used for data processing are committed to an obligation of confidentiality, for example through their employment contract or professional confidentiality rules. This should be re-enforced through effective data protection training. Data controllers should also undertake their own due diligence on data processors to check this is happening.
Appropriate level of security
Data processors are responsible for making sure security levels are appropriate to the risks associated with the types of data being processed and the manner in which the personal data is processed. The GDPR requires that when assessing the appropriate level of security, consideration should be given to the ‘state of the art, the costs of implementation and the nature, scope, context and purposes of processing’.
It is recommended therefore that the data controller and the data processor undertake a data protection impact assessment of the privacy risks and record their findings and decisions. This way, they can demonstrate that they have identified and considered any privacy risks; assessed their severity and how they could be mitigated; documented the decisions taken; implemented any appropriate technical and organisational measures to safeguard the data; and manage any privacy risks.
Under the GDPR, a data processor must obtain the data controller’s written consent prior to engaging any sub-processor. It is recommended that the data controller implements a robust monitoring process which includes notification of the appointment of any sub-processors and any changes to the sub-processors, as well as due diligence checks by the data controller, such as a monthly review of who has access to the personal data.
Helping with compliance
Data processors must assist data controllers with complying with the GDPR. For example, they must assist the data controller with implementing appropriate technical and organisational measures to safeguard the personal data being processed, such as anonymising data and using reliable systems that can be brought back online in the event of a system failure.
Data processors should also be able to assist with responding to data subject requests as individuals exercise their rights under the GDPR; notifying breaches to the relevant regulatory authority (and in some cases the individuals); and conducting data protection impact assessments.
Both parties should set out clear expectations in the data processing agreement of who is responsible for what processing activities, and who will bear the costs for example in the event of a breach.
Additionally, at the behest of the data controller, the data processor must either delete or return all personal data when the processing services are complete. The data controller must be aware of the location of the personal data at all times and know how it is being processed. The data processing agreement should specify what happens to the personal data when the data processing agreement comes to an end, and include provisions to ensure this happens, for example requiring written confirmation that the personal data has been securely destroyed or returned to the data controller. The data controller should also undertake its own compliance checks, for example checking the personal data has been destroyed by a reputable organisation.
Assisting with audits and inspections
In order to demonstrate compliance, the data processor will need to allow the data controller and the Information Commissioner’s Office to carry out audits and inspections to verify their compliance with the GDPR. Provisions should therefore be included in the data processing agreement setting out these rights.
Monitoring data processors
Data controllers should consider setting up a compliance programme specifically to monitor their organisation’s use of data processors. As a minimum, this should include assessing how potential data processors comply with the GDPR, reviewing their data protection compliance programme and approach generally to data protection. This should, where appropriate, include undertaking periodic assessments that standards are being maintained. The assessments and monitoring undertaken should be proportionate to the risks.
Negotiating contract terms
With fines for non-compliance with the GDPR increasing to the greater of €20,000,000 or 4% of annual worldwide turnover, caps on liability under contracts are likely to be a focus for both the data controller and the data processor. Data processors will not want to commit to a high cap on liability that, in reality, may leave the data processor unable to financially continue to run its business. Too low, and the cap may not cover fines and the additional costs of dealing with data breaches, such as management time, damage to reputation and remediation costs.
When setting any liability caps under the data processing agreement, consideration must be given to the nature of the data, the manner in which it is processed and the purposes for which it is processed.
By Jenai Nissim, legal director at UK law firm TLT
GDPR Summit London is a dedicated event which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/