Increased obligations for data processors
The new General Data Protection Regulation (GDPR) will come into force across the EU on the 25th May 2018. Under this new Regulation, data processors will be subject to more stringent obligations than under existing data protection law. Data Processors will have many of the same obligations as data controllers. The new obligations on Data Processors are accompanied by strict enforcement measures to ensure compliance.
New Obligations on Data Processors
- Contract: All data processing activities must be subject to a contract between the data processor and the data controller. This contract must state that the data processor will only act upon the data controller’s documented instructions, as well as specify the duration, nature and purpose of the data processing. The confidentiality obligations of the data processor in relation to the relevant data must also be specified.
- Consent to sub-contracting: If a data processor wants to sub-contract processing, such sub-contracting must be approved by the data controller. If a sub-processor is appointed, it must be subject to the same terms as the original contract between the data controller and the data processor.
- Categories of data: Data processors will be required to maintain written records of all categories of personal data which it processes. Such information should be available to the data controller on request and the relevant Data Protection Authority in order to show compliance. Processors will also be required to co-operate with any Data Protection Authority in the performance of their tasks. In Ireland, the relevant Authority is the Data Protection Commissioner.
- Security measures must be adequate: Data processors must implement appropriate technical and organisational security measures to protect data from loss, destruction, alteration and unauthorised access. The effectiveness of these measures will need to be regularly tested. Data processors can be subject to fines, penalties and compensation claims if they fail to ensure appropriate security measures are in place.
- Breach notification: Upon becoming aware of a data breach, the data processor must notify the data controller without undue delay. This allows the data controller to react swiftly to the breach.
- Data Protection Officer: Data Processors will be obliged to appoint a Data Protection Officer (DPO). A DPO is a person formally instructed with ensuring that an organisation is aware of, and in compliance with, its data protection obligations. A DPO is only required where an organisation is a public body, where the data processing involves regular monitoring of data subjects on a large scale, or where the core activities of the processing involve large amounts of sensitive personal data. However, it is open to organisations to appoint a DPO voluntarily where they are not mandated to appoint one under the GDPR.
Under the GDPR, both data controllers and data subjects will be able to sue data processors where they have suffered damage as a result of a failure by the data processor to abide by its obligations under the GDPR.
The Data Protection Authorities across the EU (including the Irish Data Protection Commissioner) will also be able to impose sanctions on non-compliant data processors. Non-compliant processors risk fines of up to 4% of global annual turnover.
Preparing for GDPR
If your organisation falls under the heading of a “data processor”, you should consider the following matters in advance of the GDPR coming into effect on the 25th May 2018:
- Begin keeping records of data processing in accordance with GDPR requirements;
- Consider whether it is necessary for your organisation to appoint a DPO;
- Draft up a process for notifying the data controller in case of a breach;
- Reviewing security measures and ensuring same are up to GDPR standard;
- Review the position in any data processing agreements regarding sub-processors;
- Review existing data processing contracts and consider adding in GDPR requirements if not already present, such as specifying the duration and purpose of the data processing in the agreement.