GDPR significantly increases accountability of data processors which means that service contracts become even more important to the processor.
Introduction
With the General Data Protection Regulation (GDPR) going into affect on 25 May 2018 it is a high priority topic in many board rooms.
One of the most significant changes introduced by the GDPR is that it places direct obligations on data processors. Alongside these obligations comes the possibility of data subjects enforcing their rights directly against data processors and an enforcement regime which lays the non-compliant data processor open to sanctions, including potentially hefty fines. This is why GDPR is not just a topic for companies that source services that involve the processing of personal data but also for componies providing such services. While service providers have a variety of business models, from on-premises processors to cloud service providers, the provisions which will apply to them in respect of the processing of client personal data are the same.
Who is affected? Some definitions
It’s worth considering what personal data is and who is caught by the processor obligations.
Personal data
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Controller
The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws.
For more GDPR and outsourcing governance related terms see our Glossary of Terms.
You also need to consider whether you are within the general scope of the GDPR:
Article 3 states that the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, whether or not the processing takes place in the Union; and to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union where the processing relates to the offering of goods or services (whether free or paid for) or the monitoring of behaviour which takes place within the EU.
Main data processor obligations
If you are a data processor within the scope of the GDPR, there are a number of key compliance points, most of which are set out in Articles 28-37 of the GDPR.
Processing to meet the requirements of this Regulation
Data controllers may only appoint data processors which provide sufficient guarantees to implement appropriate technical and organisational measures to ensure processing meets the requirements of the GDPR. Processors are required to process personal data only in accordance with the controller’s instructions. This is very broad brush and imposes an indirect obligation to comply with many of the requirements which apply to controllers, albeit at their instruction. This general instruction is likely to be made more specific, including variations by categories of personal data, in the relevant controller/processor contract and it is in the interest of both controllers and processors to make sure obligations are set out as clearly as possible.
Restrictions on sub-contracting
The GDPR gives data controllers a wide degree of control in terms of the ability of the processor to sub-contract. In effect, data processors require prior written consent. This can be general but even where general consent has been given, the processor is still required to inform the controller of any new sub-processors, giving the controller time to object. In case of general cloud services are used the parties typically apply a general consent with the option to object. In case of sub-processing the lead processor is required to reflect the same contractual obligations it has with the controller in a contract with any sub-processors and remains liable to the controller for the actions or inactions of any sub-processor.
Controller/processor contract
Data processor activities must be governed by a binding contract with regard to the controller. The obligations on the processor must cover the duration, nature and purpose of the processing, the types of data processed and the obligations and rights of the controller. There are a number of specific requirements including that the personal data is processed only on documented instructions from the controller, and requirements to assist the controller in complying with many of its obligations. The data processor has an obligation to inform the controller if it believes any of the controllers instructions breaches the GDPR or any other EU or Member State law.
Demonstrating compliance
One of the key points of GDPR is the requirement to demonstrate compliance. Processors are under an obligation to maintain a record of all categories of processing activities. This must include details of the controllers and any other (sub-)processors and of any relevant Data Protection Officers (DPOs), the categories of processing carried out, details of any transfers to third countries and a general description of technical and organisational security measures. These records must be provided to the supervisory authority on request. Processors that have fewer that 250 employees are excluded from these obligations, provided the processing does not pose a risk to the rights and freedoms of individuals, is not more than occasional and does not include special data (sensitive personal data).
Security
Data processors, like controllers, are required to implement appropriate security measures. What is appropriate is assessed in terms of a variety of factors including the sensitivity of the data, the risks to individuals associated with any security breach, the state of the art, the costs of implementation and the nature of the processing. These measures might include pseudonymisation and encryption. Regular testing of the effectiveness of any security measures is also required where appropriate.
Breach notification
Data processors are required to notify their relevant controller of any breach without undue delay after becoming aware of it. This is one of the areas where the GDPR is annoyingly vague. While it is arguably better for processors not be bound to specific timeframes as controllers are, it is hard to ignore the prospect of disputes between controllers and processors as to when delay may be “undue”. To prevent disputes on this area the parties may benefit from making this more explicit in controller/processor contracts.
Data Protection Officers
The concept of a mandatory DPO is not new. Both controllers and processors are required to appoint DPOs in certain situations, including where they are a public authority or body, where the data processing activities require regular monitoring of data subjects on a large scale, or where the core activities of the processing involve large amounts of special (sensitive) data or data relating to criminal convictions and offences. The DPO is expected to have a degree of independence and is the contact point for any data subjects and for the supervisory authority. The primary role of the DPO is to assist the processor with and advise on compliance with the GDPR..
Transfers to third countries
The processor has to exercise a degree of independence from the controller when deciding whether or not it can transfer personal data to a third country. While processors are required to follow the relevant data controller’s instructions with regard to the data processing, no matter what those instructions are, they may only transfer personal data to a third country (in the absence of an adequacy decision) if the controller or processor has provided appropriate safeguards and on condition that data subjects have enforceable rights in that country with respect to the data. Again, this is an area which should be clarified in controller/processor contracts.
Consequences of non-compliance
Under current law, data processors are subject to liability for failure to comply with their contractual obligations to their controllers. They have not, however, previously been open to direct action by regulators or data subjects. This all changes under the GDPR.
Data subjects will be able to take action against processors and claim damages where they have “suffered material or immaterial damage” as a result of an infringement of the processor obligations under the GDPR. In addition, data subjects can enforce directly against processors who have breached any lawful instructions by the controller. Potentially, processors will be liable both to the controller and data subjects for the same breach although there is a mechanism for apportionment of responsibility between controller and processor with respect to data subjects.
As well as damages claims from data controllers and data subjects, non-compliant data processors are also vulnerable to sanctions by the regulator. These range from access and audit rights, to administrative orders and, ultimately, to fines of up to 4% of annual global turnover for certain breaches.
Are you ready?
The greatly increased accountability of data processors under the GDPR means that the controller/processor contract becomes even more important to the data processor. Under current law, it is arguably the data controller which has the greater interest in covering off its potential liability by signing the processor up to specific obligations. Going forward, however, the processor has as much of an interest in making sure obligations are precisely defined because it will be so much more exposed.
To be ready for GDPR data processors should have ticked the following boxes:
– reviewing and udjusting their existing contracts with data controllers;
– reviewing their use of sub-contractors and related contracts;
– reviewing their data export arrangements;
– decision on whether they need to appoint a DPO;
– reviewing their data security;
– setting up compliance accountability procedures;
– conducting risk assessments to ascertain what form appropriate and organisational technical measures will take;
– making sure critical obligations are effectively managed during the term of the contract.