The General Data Protection Regulation (the GDPR) is due to come into force in May 2018.
Under the GDPR, Data Controllers will have an obligation to only use those Data Processors that can show that they are compliant with the GDPR.
Data Controllers can no longer rely on contractual clauses alone to show that they are protecting personal data when outsourcing to Data Processors. The GDPR will require organisations to be far more ‘hands-on’ and to assess the compliance by way of audits and supplement that with additional data related policies and procedures.
We have set out below a list of key considerations for Data Controllers when thinking about engaging Data Processors. Circumstances will of course dictate and shape these considerations, so the list is non-exhaustive.
Before engaging Data Processors to carry out data processing activities, Data Controllers should be carrying out due diligence enquiries of the Data Processor’s ability to comply with the GDPR. The GDPR places an obligation on a Data Controller to only use Data Processors that are able to demonstrate compliance.
If a Data Processor is not aware of the GDPR, alarm bells should be ringing.
Mandatory contractual terms
Data controllers should always have a written agreement in place with Data Processors.
The GDPR provides that in any agreement between a Data Controller and Data Processor, there must be obligations on the Data Processor to:
- only act in accordance with the Data Controller's instructions;
- comply with confidentiality obligations (and ensure that its staff comply);
- ensure the security of the personal data;
- only appoint a sub-processor with the consent of the Data Controller (and when appointed, impose mirroring obligations);
- implement measures to assist the Data Controller in complying with the rights of data subjects;
- cooperate with any interaction with the ICO;
- return or destroy the personal data at the end of the agreement; and
- provide the Data Controller with all information necessary to demonstrate compliance with the GDPR (including records etc.)
As there is no ‘transitional period’, existing agreements between Data Controllers and Data Processors subsisting on 18 May 2018 will need to be amended to include such clauses.
Liability caps for breach of data protection provisions in agreements with Data Processors are likely to be a sticking point.
Given the fines available to the ICO when the GDPR comes into force, Data Controllers should be looking to ideally obtain unlimited liability from Data Processors in the event of breach of the data protection provisions in the agreement. Understandably, Data Processors will be seeking to place a limit on their liability.
A liability cap (if any) is a commercial term to be negotiated between the parties, taking into account the availability of insurance and the nature of the data that is being processed.
On-going compliance checks
Data Controllers should consider including in their agreements with Data Processors the right to carry out audits of the Data Processor’s data protection compliance measures throughout the term of the agreement.
Data Controllers have an obligation to know the location of the personal data under its control and the processing that is being carried out. As such, it is prudent for Data Controllers to keep a very close relationship with their Data Processors and ensure that the correct data protection procedures are being followed.
If it is envisaged that the Data Processor will engage Sub-Processors, the Data Controller should require notice of any such Sub-Processors and the ability to carry out the same due diligence and audit checks of the Sub-Processor.
Data Processors will, in their own right, have to comply with the GDPR when carrying out data processing. They will also have to notify the Data Controller of any breach of the GDPR and will be subject to the same fines as Data Controllers (the greater of €20 million or 4% of annual worldwide turnover). For more information on how the GDPR will apply to Data Processors, see our article GDPR: What does this this mean for data processors?
For more information on the GDPR generally, please see our brief guide to GDPR.