One of the main changes coming in with the General Data Protection Regulation (GDPR) is the increased accountability and obligations for data processors. Under the current data protection regime the liability rests with the data controller. Processors have generally only been liable so far as their contracts with controllers provided. The data controller has been responsible for the actions of any data processors they use.
Under the new GDPR regime this is all changed. Both controllers and processors can be held accountable for data protection compliance. This means that data subjects can directly enforce their rights under GDPR against data processors. This also means that data processors will need to ensure the security of any processing they are carrying out. This would include:
- ensuring appropriate technical and organisational measures so there is an appropriate level of security over personal data
- appointing a data protection officer (depending on the processing)
- making sure that personal data is only processed in accordance with the instructions of the controller
- notifying controllers quickly of any breaches
- only using sub-processors with written authorisation from the controller
- ensuring that appropriate contracts are in place with controllers
- maintaining records of all categories of processing activities (applies to certain categories of processors)
- ensuring that third party transfers outside the EU only occur where appropriate safeguards are in place
Non-compliance by a processor could result in direct action against the processor by a data subject where they have suffered 'material or immaterial damage' as a result of the processor's actions/non-actions. There is also the potential for sanctions to be imposed on processors by regulators. This includes the much talked about fines of up to 4% of global turnover.
So what should you do? First of all, check you are a data processor. A processor is a natural, or legal person, public authority, agency or other body which processes personal data on behalf of a controller. Secondly check that the processing you are carrying out falls under the remit of GDPR. It will if the processing relates to the activities of an establishment in the EU or if the establishment is not in the EU but the data subjects are and the establishment is offering them goods and services or monitoring their behaviour and this activity takes place within the EU.
Controllers will be getting advice that they need to review their contracts with processors to ensure they adequately deal with GDPR compliance. Get ahead of the curve as a processor and make sure you can answer the questions that controllers will be asking. Processors should carry out a GDPR compliance audit and start addressing any gaps straight away. it's in a processor's interest also that controller/processor contracts are clear on what the obligations are. Steps processors should consider now include:
- DP compliance audit
- reviewing of controller/processor contracts
- looking at whether personal data is transferred outside the EU
- looking at whether any sub-processors are used
- reviewing security measures
- considering if a data protection officer needs to be/should be appointed
If you need advice on data protection and GDPR compliance please contact a member of our Employment Law & Data Protection Team:
Disclaimer:This article is for guidance purposes only. It does not constitute legal or professional advice. No liability is accepted by Leman Solicitors for any action taken or not taken in reliance on the information set out in this publication. Professional or legal advice should be obtained before taking or refraining from any action as a result of the contents of this publication. Any and all information is subject to change.
Under the new regulations, both the controllers and processors will be held jointly liable for a data breach. Essentially this means that if a company has data stored or processed by a third party, such as cloud service providers, partners or suppliers, they will face full repercussions in the event of that third party being breached. This is a significant change compared to the current legislative requirements and it will have notable consequences for those organisations that rely on cloud services.