It will not have escaped organisations’ attention that data protection laws have undergone significant reforms lately. The GDPR came into force on 25 May 2018, however we also have a new Data Protection Act 2018 (DPA 2018) which is now in force, thanks to some last-minute prompt progress through Parliament.
A lot of media attention centred around how the new laws enhance the rights of individuals and the potential fines organisations could face for data breaches (of up to the greater of €20 million (the DPA 2018 provides that the conversion rate for sterling will be set based on the date the penalty notice is issued) or 4% of annual global turnover). Of course, the new laws also change the way businesses may interact with each other when there is likely to be a sharing of personal data.
The DPA 2018’s overview makes it clear that most personal data processing is subject to the GDPR and applies domestic rules for types of processing not covered in the GDPR (for example immigration).
The GDPR and DPA 2018 set out that where a data controller engages a data processor (which, for example may arise if organisations have external third-party providers for payroll), it should only do so if the processor has provided sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of the GDPR.
The GDPR and DPA 2018 state that processing by a processor should be governed by a binding contract and that this contract should include:
- Details of:
- The subject-matter and duration of the processing;
- The nature and purpose of the processing;
- The type of personal data and categories of data subjects involved; and
- The obligations and rights of the controller and processor.
- The following obligations on the processor:
- To only process the personal data on documented instructions from the controller. This includes transfers internationally (save where required by law in which case the processor should inform the controller of the legal requirement before processing, unless that law prohibits such a communication);
- To ensure that those authorised to process the data have committed themselves to confidentiality or have a statutory duty of confidentiality;
- To implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
- Not to appoint another processor without prior specific or general written authorisation of the controller. In the latter case, the processor must inform the controller of any addition/replacement of other processors, thereby giving the controller the opportunity to object to such changes;
- To assist the controller (taking into account the nature of the processing) by appropriate technical and organisational measures, insofar as is possible, for the fulfilment of the controller’s obligations to respond to requests exercising data subjects’ rights;
- To assist the data controller (taking into account the nature of the processing and information available to the processor) in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- At the choice of the controller, to return to the controller or delete all personal data used for the provision of the service unless required by law to keep a copy; and
- To make available to the controller all information necessary to demonstrate compliance with the obligations and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. The processor must inform the controller if, in its opinion, an instruction infringes the regulations or other law.
If another processor is engaged by the initial processor it will need to make sure similar provisions are in its contract and will be liable for any breaches by the subsequent processor.
As a matter of good practice, controllers should include wording in a contract to stress that nothing in the contract relieves the processor of its own obligations under data protection legislation.
Organisations may also want clauses in their contracts with other controllers relating to GDPR obligations, although the GDPR and DPA 2018 do not strictly require this. However, if the organisations are in fact considered ‘joint controllers’ they do need to have transparent arrangements in place, the essence of which should be made available to the relevant data subjects.
The GDPR and DPA 2018 tighten the restrictions on transferring data outside the EU. Generally, under the GDPR and DPA 2018, data may not be transferred outside the EU unless:
- The country in question has received an adequacy decision from the European Commission (examples of countries which currently have adequacy decisions include the USA (provided such transfers fall within the Privacy Shield framework), Canada (for commercial organisations) and Argentina. The intention is that post-Brexit the UK will also receive an adequacy decision;
- Adequate safeguards have been put in place. These may include, for example, the adoption of standard contractual clauses provided by the supervisory authority or Binding Corporate Rules for organisations in the same corporate group or enterprises engaged in a joint economic activity (these have to be approved by the data protection supervisory authority); or
- (In limited circumstances) a derogation applies or the transfer falls with the narrow exception relating to one-off limited transfers for compelling legitimate interests (however, for this latter category, the supervisory authority has to be informed).
- It should also be noted that there may be circumstances where an EU-based data controller allows access to its IT systems for specific purposes to, for example, an IT service-provider based outside the EU or a parent company. In providing such access, a data controller has an overriding GDPR obligation in relation to data security, so it will need to assess the extent to which the granting of such access may lead to a risk of unauthorised or unlawful processing, accidental loss, destruction or damage, and, to the extent necessary, put in place appropriate “technical or organisational security measures” by way of mitigation.
- It is possible also that the IT service-provider/parent company in this example is carrying out processing (for example, deletion of data can be done remotely without an actual transfer of data), in which case there will be an obligation both to inform the relevant data subjects about this access and the nature and purposes of this processing, for example, in a privacy notice, and for the controller to enter into a formal contract with the processor imposing certain obligations on the processor which are as specified in the GDPR and set out above.
Further, particularly in the case of a parent company, the party with access to the IT systems may well be a controller in their own right if they, for example, use this data for their own purposes (such as to make decisions about the global business). They will, therefore, need to consider their own obligations under the GDPR if they are caught by its provisions (for example, if they monitor, or provide goods and services to, data subjects in the EU). Unfortunately, what constitutes monitoring under the GDPR is (perhaps purposefully) unclear.
Audit and compliance
If you thought getting compliant by 25th May 2018 was the end of it, then you were wrong. In the words of the ICO, compliance with the GDPR is a ‘long haul journey’.
Organisations need to continue to review their processes, ensure they stay alert to any new processing activities they carry out (which have not already been mapped and referred to in privacy notices) and conduct regular audits to ensure the efficiency of their systems.
Processors should also consider how they might deal with an audit request from data controllers which they will be contractually bound to assist with (as set out above).