GDPR is Coming: 7 Steps Processors Need to Take to be Compliant

Obelisk Support consultant Alisha McKerron Heese provides some advice on how data processors can comply with upcoming GDPR legislation.

We are fast reaching the countdown phase for the General Data Protection Regulation (GDPR) which comes into effect in just over six months on 25th May 2018. 

Preparing for GDPR is a complex process which requires far more than merely updating your processing agreements and fulfilling your contractual obligation. While the regulations stipulate that certain provisions be inserted in processing agreements (art. 28(3)), they do not stop at that. For the first time, statutory data protection requirements (which previously only applied to data controllers) will place direct obligations on you as well. This enables data subjects to enforce their rights directly against you. Non-compliance is also more severely punished, through significantly heavier fines. To be precise, under the current law, the maximum fine the Information Commissioner can impose is £50,000. Under GDPR, however, that fine can be anything up to 4% of an organisation’s annual worldwide turnover, or 20,000,000€, whichever is largest.

So, what are these new requirements and what steps should you take to ensure that you will be compliant from 25 May 2018?

#1 Review Existing Processing Agreements 

Your processing agreements must be GDPR compliant. This means that you have agreed to:

  1. Process personal data only after documented instructions from your client
  2. Ensure that all of your employees who are authorized to process personal data have committed themselves to confidentiality
  3. Take appropriate security measures (see step 3 below)
  4. Engage sub- processor correctly (see step 6 below)
  5. Help your client(s) to respond to requests by data subjects who are exercising their rights
  6. Help your clients to meet their compliance obligations (relating to securing personal data, data breaches, data impact assessments, and consultations with the supervisory authority)
  7. At the choice of your client, delete or return personal data
  8. Allow for and contribute to audits conducted by your client.

More details here.

#2 GDPR Compliance Accountability Procedures

You must have determined if you are required to maintain written records of categories of processing activities (art. 30). This requirement originates from the accountability principle (art. 5), a re-occurring theme throughout GDPR which puts the onus on you to be responsible for, and to demonstrate compliance. Information which must be captured includes details of any other processors, your client’s details and those of Data Protection Officers (DPO), categories of processing, details of transfers to third countries and a description of general technical and organizational security measures (art. 30 (2)). These records must be provided to the supervisory authority on request.

If you employ 250 employees or less, you will be excluded from this requirement provided that the processing does not pose a risk to the rights and freedoms of individuals, is not more than occasional, and does not include special category data.

Note: Special category data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, and biometric data or data concerning health or data concerning a natural person’s sex life or sexual orientation (art. 9(1)).

#3 Data Security

You must have appropriate security measures – referred to as appropriate technical and organisational measures (art. 32). If you are wondering what appropriate technical and organisational measures means, you are not the first. No definition is provided by the regulation, thereby putting the onus on you to decide. You must consider a variety of factors:  the sensitivity of data, the risks to individuals associated with any security breach, the state of the art, the costs of implementation and nature of processing.

This requires you to have a comprehensive understanding of your systems and the type of data processed. While they can vary, appropriate measures include pseudonymisation and encryption of personal data. Regular testing of any security measures is also required where appropriate. This will enable you to detect any weaknesses and pick up any problems quickly which is particularly important in the event of a breach.

More details here.

#4 Data Breach Notification

You must be able to detect data breaches and notify the controller without undue delay upon becoming aware of a breach (art. 34). It may be in your interests to clarify in your processing agreement (if you have not already done so) when delay may be undue as this is not made clear in the regulation.

More details here.

#5 Data Protection Officers

You must have a DPO if required, although you may have one even if not required. A DPO is required if you are a public authority, if processing requires regular and systematic monitoring of data subjects on a large scale, or if your core activities consist of processing large scale special categories of personal data. A DPO’s primary role is to independently advise you on compliance with the GDPR, and they are the contact point for any data subjects and for the supervisory authority.

More details here.

#6 Reviewing Use of Subcontractors

You must have prior specific or general written authorisation from your client if you enlist another processor or replace a sub-processor (art. 28(2)). You must reflect the same contractual obligations you have with your client in a contract with any sub-processor and shall remain liable to your client for the action or inaction of any sub-processor.

#7 International Transfers

You must ensure that you have appropriate safeguards for any transfers of personal data to a third country (in the absence of an adequacy decision) and that the data subjects have enforceable rights in that country with respect to the data. This is your decision to make, and is independent of any instructions from your client with regards to data processing.

More details here.

Making your processing agreement GDPR complaint is just the start.  The steps outlined above are by no means an exhaustive list, but should hopefully assist you in your journey to becoming GDPR compliant. Not long to go before the clock stops ticking!