This is a new concept. For the first time, data processors will be placed under a direct obligation to comply with certain data protection requirements which previously only applied to data controllers.
How does this concept differ from the current position?
Under the current EU Data Protection Directive:
- only the controller is held liable for data protection compliance, not the processor
- any processing must be: (a) governed by a written contract; (b) carried out in accordance with the controller’s instructions; and (c) subject to appropriate security measures
- in order to protect itself against unnecessary compliance risks, generally, a controller will seek to pass its responsibilities to the processor via the data processing agreement
- regardless of the existence of any data processing agreement, controllers remain legally responsible for any breaches caused by the actions of their data processors
- supervisory authorities have no direct enforcement powers against processors.
In contrast, the GDPR places direct statutory obligations on data processors. These obligations mean that data processors may be subject to direct enforcement by supervisory authorities, serious fines for non-compliance and compensation claims by data subjects for any damage caused by breaching the GDPR. These obligations include:
- Data Processing Agreements – processors may only process personal data on behalf of a controller where a written contract is in place which imposes a number of mandatory terms on the data processor, as set out in the GDPR.
- Sub-processors – processors may not engage a sub-processor without the prior written authorisation of the controller.
- Controller instructions – processors may only process personal data in accordance with the instructions of the controller.
- Accountability – processors must maintain records of data processing activities and make these available to the supervisory authority on request.
- Co-operation – processors must co-operate with the supervisory authority.
- Data security – processors must take appropriate security measures and inform controllers of any data breaches suffered.
- Data Protection Officers – processors must, in specified circumstances, designate a data protection officer.
- Cross-border transfers – processors must comply with restrictions regarding cross-border transfers.
- Sanctions – non-compliant processors risk fines of up to 4% of global annual turnover.
The GDPR also makes data controllers and processors jointly and severally liable. This means that, where a controller or processor has paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controller or processor involved, that part of the compensation corresponding to their responsibility for the damage.
What is the impact for organisations?
The GDPR strikes a more even balance between the responsibilities placed on data controllers and data processors. This represents a significant change and will dramatically increase the risk profile for entities, such as cloud and datacentre providers, that act as data processors.
This change will impact not only on processors, but also on the controllers that engage them. It is likely that more focus will be placed on negotiating data processing agreements as processors seek to ensure that: (a) increased costs of compliance are reflected in the cost of their services; (b) the scope of the controller’s instructions are clear; and (c) the increased risks are appropriately allocated between the parties.
Some processors may also wish to review their existing data processing agreements, to ensure that they have met their own compliance obligations under the GDPR.
What action is required?
Any changes are likely to take time to implement and both data controllers and processors should act early in order to:
- Identify, review and, where necessary, revise their data processing agreements to ensure that they are GDPR-compliant. Any new agreements should be agreed in accordance with the requirements of the GDPR.
- Consider mechanisms for resolving disputes regarding respective liabilities to settle compensation claims, given the new provision allowing for joint liability for data protection breaches.
- Ensure that you have clear documentation and recording procedures in place to prove that you meet the required standards. Implement measures to prepare and maintain records of your organisation’s processing activities.