The long-awaited General Data Protection Regulation (GDPR) is no longer a mirage floating tantalisingly (or threateningly) in the distance but is very much upon us. We now know that the GDPR will apply from 25 May 2018. Those hoping that Brexit may get UK businesses out of having to comply, may be interested to read our views on this. While it is unsurprising that many UK organisations are holding off worrying about the GDPR until after the Referendum, whatever the outcome, the GDPR is something that not only EU Members need to take into account. As we discussed in our last batch of Global Data Hub content, the scope of the GDPR goes much wider than the outgoing Data Protection Directive, and nowhere is this more clear than in the new direct obligations on data processors.
One of the most significant changes brought in by the GDPR is that it places direct obligations on data processors for the first time at EU-wide level. Alongside these obligations comes the possibility of data subjects enforcing their rights directly against data processors and an enforcement regime which lays the non-compliant data processor open to sanctions, including potentially hefty fines. While data processors have a variety of business models, from on-premises processors to cloud service providers (for more on this see our other article), the provisions which will apply to them in respect of the processing of client personal data are the same.
Who is affected? Some definitions
It's worth considering who is caught by the processor obligations.
"Processor - means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."
"Controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data…"
You also need to consider whether you are within the general scope of the GDPR:
Article 3 states that the GDPR applies:
- to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, whether or not the processing takes place in the Union; and
- to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union where the processing relates to the offering of goods or services (whether free or paid for) or the monitoring of behaviour which takes place within the EU.
If you fall within the scope of the GDPR as a data processor, there are a number of key compliance points, the majority of which are set out in Articles 28-37 of the GDPR.
Processing to meet the requirements of this Regulation
Data controllers may only appoint data processors which provide sufficient guarantees to implement appropriate technical and organisational measures to ensure processing meets the requirements of the GDPR. Processors are required to process personal data in accordance with the controller's instructions. This is very broad brush and imposes an indirect obligation to comply with many of the requirements which apply to controllers, albeit at their instruction. It is likely that this general requirement will be made specific in the relevant controller/processor contract and it is in the interest of both controllers and processors to make sure obligations are set out as clearly as possible.
Restrictions on sub-contracting
The GDPR gives data controllers a wide degree of control in terms of the ability of the processor to sub-contract. In effect, data processors require prior written consent. This can be general but even where general consent has been given, the processor is still required to inform the controller of any new sub-processors, giving the controller time to object.
The lead processor is required to reflect the same contractual obligations it has with the controller in a contract with any sub-processors and remains liable to the controller for the actions or inactions of any sub-processor.
Data processor activities must be governed by a binding contract with regard to the controller. There is also scope for a contract to be replaced with Member State or Union law. The binding obligations on the processor must cover the duration, nature and purpose of the processing, the types of data processed and the obligations and rights of the controller. There are a number of specific requirements including that the personal data is processed only on documented instructions from the controller, and requirements to assist the controller in complying with many of its obligations. The data processor has an obligation to tell the controller if it believes an instruction to hand information to the data controller breaches the GDPR or any other EU or Member State law.
One of the threads which runs through the GDPR is the requirement to demonstrate compliance. Processors are under an obligation to maintain a record of all categories of processing activities. This must include details of the controllers and any other processors and of any relevant Data Protection Officers (DPOs), the categories of processing carried out, details of any transfers to third countries and a general description of technical and organisational security measures. These records must be provided to the supervisory authority on request.
There is a carve out to these obligations, where the processor has fewer than 250 employees provided the processing does not pose a risk to the rights and freedoms of individuals, is not more than occasional and does not include special data (sensitive personal data).
Processors, like controllers, are required to implement appropriate security measures. What is appropriate is assessed in terms of a variety of factors including the sensitivity of the data, the risks to individuals associated with any security breach, the state of the art, the costs of implementation and the nature of the processing. These measures might include pseudonymisation and encryption. Regular testing of the effectiveness of any security measures is also required where appropriate.
The enhanced breach notification requirements on both data controllers and data processors have been causing concern to stakeholders since the first draft of the GDPR was published. While the obligations on controllers have been slightly reined in over subsequent drafts, processors are required to notify their relevant controller of any breach without undue delay after becoming aware of it. This is one of the areas where the GDPR is annoyingly vague. While it is arguably better for processors not be bound to specific timeframes as controllers are, it is hard to ignore the prospect of disputes between controllers and processors as to when delay may be "undue". This is an area which might benefit from being dealt with in more detail in controller/processor contracts.
Data Protection Officers
The concept of a mandatory DPO is not new in all EU jurisdictions but it is new to the UK. Both controllers and processors are required to appoint DPOs in certain situations, including where they are a public authority or body, where the data processing activities require regular monitoring of data subjects on a large scale, or where the core activities of the processing involve large amounts of special (sensitive) data or data relating to criminal convictions and offences. The DPO must have a degree of independence and is the contact point for any data subjects and for the supervisory authority. The primary role of the DPO is to assist the processor with and advise on compliance with the GDPR. Processors may also choose to appoint a DPO even if they do not fall into one of the specified categories, or they may be required to do so under Member State law. If a DPO is appointed, contact details for the DPO must be published and communicated to the supervisory authority.
Transfers to third countries
The processor has to exercise a degree of independence from the controller when deciding whether or not it can transfer personal data to a third country. While processors are required to follow the relevant data controller's instructions with regard to the data processing, no matter what those instructions are, they may only transfer personal data to a third country (in the absence of an adequacy decision) if the controller or processor has provided appropriate safeguards and on condition that data subjects have enforceable rights in that country with respect to the data. Again, this is an area which should be clarified in controller/processor contracts. Appropriate safeguards may be provided in a number of ways including in the form of Binding Corporate Rules, model contract clauses, or a legally binding instrument between public authorities.
Codes of Conduct
The GDPR refers to approved Codes of Conduct as a means both to impose additional obligations on processors and for them to demonstrate compliance. Associations or bodies may submit Codes of Conduct for approval by Member States or at Commission level. Certification or seal programmes may also be used to demonstrate compliance with GDPR requirements. This introduces the potential for different standards across different industries and between Member States. We will have to wait and see how widely used they become and how useful they are.
Consequences of non-compliance
Under current law, data processors are subject to liability for failure to comply with their contractual obligations to their controllers. They have not, however, previously been open to direct action by regulators or data subjects. This all changes under the GDPR.
Data subjects will be able to take action against processors and claim damages where they have "suffered material or immaterial damage" as a result of an infringement of the processor obligations under the GDPR. In addition, data subjects can enforce directly against processors who have breached any lawful instructions by the controller. Potentially, processors will be liable both to the controller and data subjects for the same breach although there is a mechanism for apportionment of responsibility between controller and processor with respect to data subjects.
As well as damages claims from data controllers and data subjects, non-compliant data processors are also vulnerable to sanctions by the regulator. These range from access and audit rights, to administrative orders and, ultimately, to fines of up to 4% of annual global turnover for certain breaches.
The greatly increased accountability of data processors under the GDPR means that the controller/processor contract becomes even more important to the data processor. Under current law, it is arguably the data controller which has the greater interest in covering off its potential liability by signing the processor up to specific obligations. Going forward, however, the processor has as much of an interest in making sure obligations are precisely defined because it will be so much more exposed.
We are now at the start of a two year period before the GDPR applies so data processors should be thinking about:
- reviewing their existing contracts with data controllers;
- reviewing their use of sub-contractors;
- reviewing their data export arrangements;
- whether they need to or should appoint a DPO;
- reviewing their data security;
- setting up compliance accountability procedures; and
- conducting risk assessments to ascertain what form appropriate and organisational technical measures will take.