The current Data Protection Act 1998 puts the legal onus for compliance squarely onto the Data Controller. Data Processors are therefore only obliged to do as they are instructed to by the Data Controller, unless the Data Controller has issued the Processor with a contractually binding document outlining that they too must comply with the core tenets of the DP Act 1998 (usually called a Data Processors Agreement). This is set to change under the General Data Protection Regulation (GDPR).
How GDPR changes the goalposts
One big change with GDPR is that both Data Controllers & Data Processors will be jointly and severally responsible for compliance with the new regulation. And both parties can be fined and or imprisoned for non-compliance.
It is therefore likely that there will be court actions between Processors and Controllers when trying to apportion blame for claims relating to non-compliance, and as Data Subjects rights will have increased and the level of claim required to take an action to court will have been lowered, more court actions are predicted.
Increased fines and costs
As the maximum fine will increase from £500,000 to £15,000,000 (or 4% of global turnover, if bigger) the risks for Processors have increased dramatically.
You therefore want to know that your Data Controller will understand the ramifications of GDPR thoroughly, will have a DPO of their own, and give clear direction on the functions they want the Processor to fulfil to minimise risks (such as much tighter data retention and deletion guidance).
Processors costs could also increase, as the Controller’s responsibility for vetting grows, for example the Controller may well:
- insist their Processor is ISO27001 certified,
- ask about privacy by design being embedded into their systems,
- want confirmation of the level of staff training
More reassurance and more responsibility
Conversely, the Processor will want reassurance that they aren’t handling data for a client who might take unnecessary risks, for example;
- incorrectly permissioned data
- no DPO
- tricky legacy issues
They will also want all instructions to be in writing, as documentation, especially where risk assessment is required.
There are also increased responsibilities on both of the Controller and Processor’s systems, processes and staff, to be able to minimise the risk of data loss and breach, such as the ability to anonymise, pseudonymise and to physically delete data.
And SAR’s (Subject Access Requests), which will become free of charge, will now have to be responded to within just 30 days, so data search, extract & retrieval capabilities are key to avoiding fines.
With the introduction of mandatory breach reporting within 72 hours, the Controller will also need their Processors to be able to respond very quickly if a breach occurs or is suspected.
Sara Howers, December 2016
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.