The effects of GDPR on data processors

The effects of GDPR on data processors

The effects of GDPR on data processors
The long-awaited General Data Protection Regulation (GDPR), which came into force in April 2016, will apply in full by May 2018. That means enforcement of its measures is only a little over a year away.

The scope of the GDPR is much wider than the previous 1995 Data Protection Directive, and nowhere is that clearer than on data processors, with increased direct obligations.

Alongside this sea change is the possibility of data subjects enforcing their rights directly against data processors and a regime which could see non-compliant processors open to increased, hefty fines. Data processors have a variety of business models from on-premises processing to, increasingly, cloud services, but the provisions that apply to processing personal data are the same no matter what the platform.

A processor means a natural or legal person, public authority or agency or other body which processes personal data on behalf of the controller. The GDPR identifies processing activity as follows:

Read Also:
5 Ways to Avoid Common Pitfalls in Large-Scale Analytics Projects

Data processors appointed by controllers must provide sufficient guarantees to implement appropriate technical and organisational measures to ensure processing meets the requirement of the GDPR and process personal data in accordance with the controller’s instructions.

Data processors require prior written consent from the controller to subcontract their activities. The processor is required to inform the controller of any new sub-processors, allowing the controller to object. The lead processor is required to reflect the main contractual responsibility in its sub processing agreements and remains liable to the controller for the action or inaction of the sub processor.

Data processing activity must be governed by contractual obligations between controller and processor. There is scope for this to be replaced with Member State or EU Law. The binding obligations must cover the duration, nature and purpose of the processing, the types of data processed and the obligations and rights of the controller. There are a number of specific requirements, such as documented processing and requirements to assist the controller in meeting obligations.

Read Also:
Why Data Breaches Don’t Hurt Stock Prices

A common theme of the GDPR is accountability and compliance. Processors must maintain a record of all categories of processing activities. This must include details of the controller and any other processors as well as the relevant contact details of the Data Protection Officer (DPO), the categories of processing carried out, details of any transfers or data exports, and a description of technical and organisational security measures. These records must be available to the Supervisory Authority, which in Ireland would be the Data Protection Commissioner, on request.

Processors must have appropriate security measures and what’s appropriate is assessed in terms of a variety of factors including:

Processors are required to take ownership of these issues and, under the GDPR, the onus and responsibility has shifted significantly from the controller to the processor in this regard.

Processors are required to notify the controller of any breach without “undue delay” after becoming aware of it.

Read Full Story…

Read Also:
BI Reporting tools – Uncut Diamond to Refined Diamond

 

Leave a Reply

Your email address will not be published. Required fields are marked *