Tamasin Dorosti, recent secondee at our Brussels office, explains the new compliance obligations for 'controllers' and 'processors' under GDPR.
‘Controllers’ define the purpose and means of the processing and ‘processors’ carry out the processing on behalf of controllers.
Whilst these definitions are not new to the GDPR, there are new compliance obligations imposed by the GDPR onto controllers and processors.
Consequentially, organisations that act as processors are likely to face increased compliance costs and those that act as both controllers and processors will need to renegotiate their processing agreements to bring them into compliance with the GDPR. Processors will also now be subject to penalties and civil claims by data subjects for the first time.
Below I've set out some of the most important additional obligations placed on both Controllers and Processors in the GDPR:
- Data protection by design and default (Article 25 and 28) – Controllers have a general obligation to implement technical and organisational measures to show they have considered and integrated data protection into their processing activities and that processors they use can also guarantee the same.
- Notification of data breaches to DPAs within 72 hours and affected data subjects without undue delay where the breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 33 and 34)
- Carrying out a Data Protection Impact Assessment (Article 35) - prior to introducing a data processing activity which is likely to result in a high risk to the rights and freedoms of natural persons.
- Compliance with the controller’s instructions on processing (Article 29)
- Notification of data breaches to the controller without undue delay (Article 33)
- Although not obliged to carry out a Data Protection Impact Assessment (DPIA) themselves they must support controllers carrying out DPIAs (Article 35)
- Appointment of an EU Representative (Article 27) in certain circumstances where processing personal data of data subjects who are in the EU by a controller or processor which is not established in the EU.
- Processing to be governed by a contract between the processor and the controller (Article 28) to regulate the relationship in greater detail, and require the processor:
- To generally process the personal data only on documented instructions from the controller;
- To ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- To secure the processing by appropriate technical and organisational measures;
- To comply with stricter sub-processing rules under paragraphs 2 and 4 of Article 28;
- To assist the controller by appropriate technical and organisational measures in responding to data subjects’ requests;
- To assist the controller in compliance with the latter’s obligations regarding security of processing, data breaches and DPIAs;
- To return or delete all personal data after the end of services at the choice of the controller unless obliged to retain the data by law; and
- To make available to the controller all information necessary to demonstrate compliance with the latter’s obligations and allow for and contribute to audits, including inspections.
- Maintenance of records of processing activities (Article 30) – note there is a carve out for processors from these obligations where they have fewer than 250 employees, the processing does not pose a risk to the rights and freedoms of individuals, is not more than occasional and does not include special data (sensitive personal data).
- Cooperation with supervisory authorities (Article 31)
- Security (Article 32) – to implement appropriate technical and organisational measures appropriate to the level of risk, including where necessary pseudonymisation and encryption, the ability to restore availability and access to personal data in a timely manner following a physical or technical incident, the ability to ensure ongoing resilience of security systems and a process for regularly testing the effectiveness of the technical and organisational measures.
- Obligation to appoint a mandatory DPO (Article 37) in certain circumstances – read more information on this.
- Restrictions on international data transfers (Article 46) – A controller or processor may only transfer personal data to a third country (in the absence of an adequacy decision) if the controller or processor has provided appropriate safeguards and on condition that data subjects have enforceable rights in that country with respect to the data. Appropriate safeguards include binding corporate rules, model contract clauses, a code of conduct, an approved certification mechanism or a legally binding instrument between public authorities.
You can see that under the GDPR, processors are much more exposed than previously and as a result will be keen to ensure that obligations are precisely defined in processing agreements. Controllers and processors will also need to work closer together to ensure compliance with the provisions of GDPR.
Your organisation should already be thinking about whether it acts as controller or processor, or possibly both. You need to assess how the above obligations will apply to your organisation and take steps to ensure compliance by 25 May 2018.
Tamasin is a trainee from Boyes Turner LLP who has just completed a secondment to the Law Society’s Brussels Office where she was involved in law reform and policy work in the field of privacy and data protection.