GDPR reveals the new role and responsibilities of data controllers and processors
Under the current data protection regime (1995), data protection obligations are predominantly applied to the Controllers, i.e. the entity which determines the purpose, extent, protection and responsibilities of processing the data. In future, the Processor will have additional responsibilities under the GDPR. E.g. the processor will have to assist the controller in determining which security measures are appropriate. The processor will also need to provide information to the controller necessary for demonstrating compliance and will be required to assist with data audits.
The European Union is the driving force behind the new data privacy regulation that is probably the regulation that has been subject to the most radical change. In this blog, we focus on the relationship between the Data processor and the Controller where GDPR regulation requires a written consent for obligations that place control over the processor sub-contracting from the data Controller.
GDPR can reduce paperwork
In certain EU countries, there can be issues between the ‘controller to processor’ association as requirements for data processing agreements go beyond the current scope provided by the EC Model Clauses. This issue can be addressed by signing new contracts when transferring personal data to processors located outside the EU.
The GDPR allows for the execution of data processor agreements in electronic form which is practical, especially for cloud computing services for appropriate data processor arrangements for personal data transfers within the EU. The same can apply to the agreements for data transfers to third countries.
Data transfers between single entities within multinational groups
GDPR stipulates extended obligations for data controllers and data processors (Article 30) for processing any personal data related to the business. This requires additional changes regarding its extraterritorial applicability when implementing the articles of GDPR.
- GDPR provides for the processing of data on behalf of the controller and data transfers within multinational groups or when using external IT (cloud) services.
- The intragroup privilege where a group division would not be deemed as the third party for processing data on behalf of the controller (rec. No. 48) remains intact under the GDPR.
Processor certification to achieve GDPR compliance
Adding additional clauses on existing data processor agreements will need to be carefully reviewed by businesses located in the EU. The GDPR recognises that third party certification can be used as means of proving compliance and some regulators will be in favors of certification, there is no official guidance to indicate acceptance. Applicable GDPR certification would allow processors to achieve compliance in a faster, and flexible way.
For the processor certification to be valid, data processor agreements will need to be rather specific concerning the instructions issued by the controller and the level of security measures that are necessary to be applied.
Presenting all the impacts of the Governance, Risk Management, Compliance and IT Security relationship between the Controller and the Processor in GDPR is hardly possible in this blog. Further updates will are provided during our GDPR seminars, conferences, workshops and Boot Camps.
Copenhagen 17th August 2017; http://copenhagencompliance.com/gdpr/
London 5th September 2017, http://copenhagencompliance.com/2017/gdpr-uk/
Copenhagen 16th September 2017, http://copenhagencompliance.com/2017/gdpr-cph/
Copenhagen 28th October 2017, http://copenhagencompliance.com/2017/gdpr-cph/
London 23rd November 2017, http://www.grcassembly.com/mailer/GDPR-Bootcamp.html