One of the big horizon issues exercising in-house lawyers is the raft of new compliance obligations which will be directly enforceable against data processors under the General Data Protection Regulation (GDPR) which ministers have confirmed will apply from 25 May 2018. The new framework will have an impact upon any business activities that make use of data processors, as the new requirements fundamentally change the relationship between data controllers and data processors.
Currently, under the Data Protection Act 1998, a data processor is only to act upon the instructions of the data controller, and any liabilities of the data processor are only those as stated within the contractual agreement with the data controller. Therefore, data processors are not directly liable for any damage caused to data subjects by the processing operations.
This will change under the GDPR as data processors become liable for any damage caused to data subjects by the processing of personal data if they do not comply with their obligations. In addition, the GDPR mandates that the data controller and data processor will have joint liability with regard to any damage caused by the processing whilst working together on the same processing operations.
The ramifications of this change in liability exposure in the UK may be even greater upon confirmation of the ability to claim for ‘mere distress’ under the Vidal-Hall case (see: Google Inc v Vidal-Hall & Ors  EWCA Civ 311 (27 March 2015) and the Practical Law legal update) currently being appealed to the UK Supreme Court.
Checklist of headline considerations for data controllers
In light of the GDPR’s reorientation, imposing responsibility on data processors, the starting point for data controllers is to audit any and all current agreements with data processors. This may necessitate their renegotiation. In particular, check that agreements require the data processor to:
- Process personal data only in accordance with documented instructions from the data controller, including any international transfers permitted.
- Ensure that any and all personnel of the data processor involved in processing have appropriate confidentiality obligations in place.
- Ensure it has appropriate technical and organisational security measures in place to guard against unauthorised or unlawful processing, as well as accidental loss, destruction or damage, including but not limited to: pseudonymising or encrypting personal data; ‘Data Protection by Design’ / ‘Data Protection by Default’ consistent with any certification issued by a supervisory authority such as the UK’s Information Commissioner’s Office (ICO).
- Ensure that the data processor notifies the data controller without undue delay upon becoming aware of a personal data breach or circumstances that give rise to a breach and within a timescale that allows the data controller to report such breach within 72 hours to a supervisory authority. Any such notice issued by the data processor to the data controller should include: the nature of the breach; categories and numbers of data subjects affected; categories and numbers of records affected; likely consequences of the breach and measures to be taken in mitigation; and timescales.
- Co-operate with the data controller and take such reasonable steps to mitigate any personal data breach.
- Co-operate with the data controller in regard to privacy impact assessments.
- Co-operate with the data controller or its auditors to demonstrate compliance.
- Maintain a record of processing, including: categories of processing carried out; details of any international transfers; details of the data processor and its data protection officer(s); data maps illustrating the flow of data within processing operations; and a general description of the technical and organisational security measures.
- Delete or return all data to the data controller at the end of the term.
Checklist of headline considerations for data processors
Again, the recommended starting point is to audit any and all current agreements with data controllers.
Given the increase in obligations, and the exposure to fines from supervisory authorities, a data processor must build this in to their pricing structure in order to ensure that their increased costs are being covered.
In particular, check that agreements require the data controller to:
- Provide details of the nature and the purpose of the personal data to be processed, and the duration of the processing.
- Provide a warranty to the data processor that the data controller has obtained any and all consents of data subjects required in order to commence the processing of the personal data, and that the data controller has recorded or documented these consistent with the record keeping requirements under the GDPR.
- Agree precisely what categories of personal data are to be included, and whether this includes or excludes sensitive personal data – the latter of which requires a higher level of security. If sensitive personal data is not to be included, the data controller should provide a warranty that no such data will be sent to the data processor, or that all of its costs will be covered in such an event.
- Agree to permit the international transfers of personal data to an affiliate of the data processor, or subprocessor by means of the currently recognised methods: under the EU model clauses; under the EU-US Privacy Shield; under the permitted derogations in the GDPR for specific situations, such as necessary for the performance of a contract; or under Binding Corporate Rules, if applicable.
- Ensure that where any personal data of data subjects not based in the European Economic Area (EEA) is processed outside the EEA, then the obligations under the GDPR do not apply to that processing. This is subject to organisations from inside the EEA not monitoring or selling to those data subjects.
- Agree that if a fine is issued jointly against the data controller and the data processor, only that portion for which the data processor is strictly liable shall apply directly to it.
Towards an EEA data processing silo?
Not all of these changes are for the better.
Under the GDPR, transfer rights are only broadened slightly – for one-off transfers in the legitimate interests of the data controller – but generally remain the same as under the current Directive. That potentially raises costs for the data controller, and ultimately the data subjects, as outsourcing to reduce costs of processing continues to be restricted.
And if our old friend Mr. Schrems of ‘Safe Harbor’ invalidation fame should have his way, even the remaining transfer methods available under the Model Clauses and the EU-US Privacy Shield may fall as well. In addition, the EU has not broadened the adequacy list: Monaco, Dubai, Singapore, Australia, Hong Kong, South Korea, and Japan and other arguably worthy territories are still not on it.
Therefore, there are certainly the beginnings of an ‘EEA silo’ of processing, whereby personal data cannot be transferred outside the EEA. Cloud operators with global operations must be particularly concerned.
In conclusion, both data controllers and data processors need to have a thorough understanding of the new obligations under the forthcoming GDPR, given the expected impact upon business operations.
Data processors are particularly affected: a new liability regime, coupled with higher level requirements, may have unintended consequences given the restrictions on outsourcing generally and global Cloud providers in particular. This in turn may lead to more EEA-based processing, which inevitably raises costs for all.
For more information on preparations for GDPR, please refer to Practical Law Data Protection’s EU General Data Protection Regulation toolkit.