You may have read recent media reports about the EU’s General Data Protection Regulation (GDPR) which came into force on May 25, 2018. This legislation aims to enhance individuals’ protection from privacy and data breaches and improve how organizations approach data privacy. Practically speaking, the GDPR will impact individuals and companies around the world, not only those residing in the EU. If your business ‘controls’ (i.e. in any way determines what to do with) personal data of individuals in the EU, perhaps because you offer goods and services to individuals in the EU or monitor individuals’ behavior inside the EU, you should certainly continue reading. We would like to take you through the immediate steps controllers should be taking in relation to their data processors, in order to comply with the GDPR.
Controllers and Data Processors
Controllers are accountable under the GDPR for making sure that processing activities are compliant. Chances are, if a controller handles a large amount of personal data, it uses a third-party to process that data. The GDPR defines ‘processing’ as including, for example, collecting, gathering, storing, sorting, modifying, using and making available personal data by electronic means. Processors located physically outside of the EU (e.g. cloud services) are also caught by the broadly worded definition. The requirements for processing personal data under the GDPR are more strict than under Canada’s federal privacy laws (Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), or “PIPEDA”) and stress the main objective of data protection and security in describing necessary safeguards.
The GDPR not only urges controllers and third-party processors to review their existing agreements, but also goes a step further and provides requirements for data processing agreements. A controller should:
- Begin by conducting and documenting its due diligence, and vetting potential processors before entering into an agreement. A compliant data processing agreement should, for instance, set out the processor’s responsibilities, describe processing activities (term, purpose, types of data, etc.), set out how data will be handled when the agreement terminates, and restrict the processor’s ability to subcontract its services without the controller’s consent.
- If they are satisfied with a current third-party processor, audit their existing services agreements, and renegotiate certain terms in order to best shield their business from potential liability under the GDPR. A major focus should be placed on updating representations, warranties and indemnification provisions, and perhaps requiring additional insurance from the processor. Controllers may wish to engage a privacy lawyer to assist with this undertaking.
Keeping Privacy in Mind Mitigates Risk
There is no doubt that the GDPR will increase a controller’s potential liability, as well as the cost of contracting with third-party processors. At the same time, the penalties under the GDPR have been expanded significantly, and are worth the extra effort to avoid. Overall, the GDPR is yet another indicator of the trend toward designing products and systems with privacy in mind, as opposed to privacy as an afterthought. The best way to mitigate your risk is to move forward with this mantra in mind, and embrace the shift toward more transparency and control for data subjects.