The long-awaited General Data Protection Regulation (GDPR), which came into force in April 2016, will apply in full by May 2018. That means enforcement of its measures is only a little over a year away.
The scope of the GDPR is much wider than the previous 1995 Data Protection Directive, and nowhere is that clearer than on data processors, with increased direct obligations.
Alongside this sea change is the possibility of data subjects enforcing their rights directly against data processors and a regime which could see non-compliant processors open to increased, hefty fines. Data processors have a variety of business models from on-premises processing to, increasingly, cloud services, but the provisions that apply to processing personal data are the same no matter what the platform.
A processor means a natural or legal person, public authority or agency or other body which processes personal data on behalf of the controller. The GDPR identifies processing activity as follows:
Data processors appointed by controllers must provide sufficient guarantees to implement appropriate technical and organisational measures to ensure processing meets the requirement of the GDPR and process personal data in accordance with the controller’s instructions.
Data processors require prior written consent from the controller to subcontract their activities. The processor is required to inform the controller of any new sub-processors, allowing the controller to object. The lead processor is required to reflect the main contractual responsibility in its sub processing agreements and remains liable to the controller for the action or inaction of the sub processor.
Data processing activity must be governed by contractual obligations between controller and processor. There is scope for this to be replaced with Member State or EU Law. The binding obligations must cover the duration, nature and purpose of the processing, the types of data processed and the obligations and rights of the controller. There are a number of specific requirements, such as documented processing and requirements to assist the controller in meeting obligations.
A common theme of the GDPR is accountability and compliance. Processors must maintain a record of all categories of processing activities. This must include details of the controller and any other processors as well as the relevant contact details of the Data Protection Officer (DPO), the categories of processing carried out, details of any transfers or data exports, and a description of technical and organisational security measures. These records must be available to the Supervisory Authority, which in Ireland would be the Data Protection Commissioner, on request.
Processors must have appropriate security measures and what’s appropriate is assessed in terms of a variety of factors including:
Processors are required to take ownership of these issues and, under the GDPR, the onus and responsibility has shifted significantly from the controller to the processor in this regard.
Processors are required to notify the controller of any breach without “undue delay” after becoming aware of it.