Significant changes are afoot for processors. With the text of the European Union General Data Protection Regulation (GDPR) now published, processors will need to begin to acclimatise to the new regime under the GDPR. Although the GDPR still places the lion’s share of compliance responsibilities on controllers, it also extends direct application of the law to processors and renders them subject to fines, in an effort to allocate responsibility between the parties.
Key changes and probable implications for processors include the following:
- EU data protection law will apply directly to processors. Unlike the current Data Protection Directive, a number of requirements under the GDPR will apply directly to processors both when a processor is in the EU as well as to certain processors outside the EU.
- Relationships with controllers will be more strictly regulated. The GDPR requires the inclusion of specific provisions in the contract between a processor and a controller, e.g. a processor must obtain consent from the controller before appointing a subprocessor.
- Processors must demonstrate accountability. Processors must maintain a record of all their data processing activities (which should be disclosed to a Data Protection Authority upon request) and processors involved in “large scale” data processing must appoint a data protection officer.
- Both parties are directly responsible for data security. While the requirement under the current Directive to implement security measures is expressed as a contractual requirement on processors as part of their relationship with controllers, the GDPR contains a positive obligation on processors to implement security measures and to consider further security aspects such as pseudonymisation and encryption.
- Rules on data transfers and disclosures. Processors have a role to play in ensuring compliance with data transfer rules and may disclose personal data when required under EU or Member State law.
- Processors will be subject to greater regulatory and judicial exposure. Processors must cooperate with Data Protection Authorities who will have the power, amongst other things, to investigate and fine processors potentially up to 4 percent of total worldwide annual turnover.
To read the article in full including the implications of these changes click here.
This article was first published in the February 2016 edition of World Data Protection Report and is reproduced with permission from World Data Protection Report, 16 WDPR 02, 2/25/16.