New Responsibilities for Data Processors under the GDPRJuly 15, 2019
Are you well-read on the requirements under the General Data Protection Regulation as they relate to data processors? Read on to see how your business might be impacted.
It’s been just over one year since the General Data Protection Regulation (GDPR) was put in place…but many organizations still have lingering questions. One such question is, how did the data processor role change under the GDPR? Under the GDPR, the concept of data processor has not changed, however, the data protection law does impose direct compliance obligations on both controllers and processors.
Quick recap on the GDPR
Check out our blog, The General Data Protection Regulation (GDPR) Takes Effect May 25th 2018. The 2018 data protection law replaces the Data Protection Directive 95/46/EC and was designed to implement a uniform data privacy system across Europe. Even if you’re based outside of the EU, the GDPR still applies to your organization if you deal with the personal data of any EU citizens.
Data controller vs. processor
It is important to know the difference between a data controller and processor in order to be fully compliant with the GDPR.
Data controller- The data controller determines the purposes for which and the means by which personal data is processed. To put it simply, the data controller dictates how and why data is going to be used by the organization.
Data processor- The data processor processes personal data on behalf of the controller. Typically, the data processor is a third party external to the company, and does not own or control the data that they process.
What did the GDPR change?
Whereas the Data Protection Directive held data controllers liable for data protection noncompliance, the GDPR introduces direct obligations for data processors for the first time.
This means that data controllers, or customers of data processors in other words, must only choose processors that comply with the GDPR. Controllers face penalties if they do not comply with this.
In addition, the GDPR requires data processors to:
- Process personal data only when given instructions from the controller, and inform the controller if instruction infringes on GDPR compliance.
- Acquire written permission from the controller before engaging a subcontractor, and assume full liability for failures of subcontractors to meet GDPR.
- Delete or return all personal data to the controller at the conclusion of the service contract (upon request).
- Enable and contribute to compliance audits conducted by the controller or a representative of the controller.
- Take reasonable steps to secure data, such as encryption and “pseudonymization,” (process through which personally identifiable fields within a data record are replaced by one or more artificial identifiers or pseudonyms) stability and uptime, backup and disaster recovery and regular security testing.
- Notify data controllers of data breaches immediately after learning of them.
How will this impact data processors?
Processors are likely to face significantly higher costs as a result of the increased compliance obligations, which is expected to raise costs for customers as well. Processing agreements is likely to become more complex as well, as processors become more cautious about the terms of the agreement and the scope of the controller’s instructions.
Need assistance complying with the GDPR? We can help. Contact us.