The buzz about the European Union’s upcoming General Data Protection Regulation (GDPR) is gathering steam as May 25th, 2018, draws close. One of the much-discussed elements of this law is the new guidelines it has laid down for data controllers and processors. While the GDPR retains some of the obligations that the Data Protection Directive places on both parties, it has introduced some new ones too. In this blog, we will discuss the responsibilities that the GDPR has conferred on each, and provide insights into how an organization, whether it is a controller or a processor, can start preparing itself to be GDPR-ready.
Who is a Controller? What is the Definition of a Processor?
In today’s digital world, data collection and storage is more of a norm than an exception. Businesses may collect individual data for advertising, marketing, analytical, or research purposes. Each time a business collects and processes an individual’s personal data, it does so as a ‘controller’ or a ‘processor.’ In Chapter 1, Article 4 of the GDPR the two are defined as below:
‘Controller’ is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
‘Processor’ refers to “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
If an organization controls and is responsible for the personal data that it holds, it is a data controller. If, on the other hand, it holds the personal data, but some other organization decides and is responsible for what happens to the data, then it is a data processor.
Controller vs. Processor: Who is Impacted by the GDPR?
The answer to this is both. Under the outgoing Data Protection Directive 95/46/EC, only controllers are liable for data protection non-compliance. However, the EU General Data Protection Regulation (GDPR) will strike a balance by allotting direct obligations to data processors as well.
According to Article 83, in the case of non-compliance, fines can be applied to both controllers and processors. These fines shall be imposed regarding “the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them.”
This represents a significant change and will dramatically increase the risk profile for entities, such as cloud and datacenter providers, that act as data processors. However, the impact will also be felt by controllers who engage their services as the increased cost of compliance may lead to a consequent increase in the cost of the processors’ services. Controllers will also have to be extra vigilant about the processors they engage with and ensure that they have the technical and operational measures required to be GDPR-compliant.
What are the Controller’s Responsibilities?
Now that we have established that both the controller and processor will share data protection obligations, let’s dive deeper into their responsibilities.
The controller is the principal party for data collection responsibilities. These responsibilities include collecting individual’s consent, storing of the data, managing consent-revoking, enabling the right to access, etc. It has to possess the ability to demonstrate compliance with the principles relating to the processing of personal data. These principles are listed in the GDPR as “lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.”
The GDPR provides additional detail on how organizations can demonstrate that their processing activities are lawful.
If an individual revokes consent, the controller will be responsible for initiating this request. Therefore, on receipt of this request, it will be required to ask the processor to remove the revoked data from their servers.
If there are several organizations that share the responsibility for the processing of personal data, the EU GDPR includes the existence of joint controllers. The joint controller is expected to determine their respective responsibilities by agreement and provide the content of this agreement to the data subjects, defining the means of communication with processors with a single point of contact. The GDPR makes joint controllers fully liable.
The outgoing directive exempts controllers from liability for harm arising in cases of force majeure or unforeseeable circumstances that prevent them from fulfilling their contractual agreement. The GDPR contains no such exemption, meaning that controllers may bear the risk in force majeure cases.
The controller will have to record all data breaches. They are obliged to disclose any data breaches to GDPR-enforcing authorities on demand. Since the 72-hour deadline for reporting data breaches is likely to prove extremely challenging for the controller, experts advise organizations to appoint a person to take responsibility for reviewing and reporting data breaches, and implement clear data breach reporting policies and procedures, as required.
The controller is expected to work only with those processors that have the appropriate technical and organisational measures to comply with GDPR guidelines. In other words, data controllers, i.e., customers of data processors shall only choose processors that comply with the GDPR, or risk penalties themselves.
As supervisory authorities enforce penalties on controllers for lack of proper vetting, processors may find themselves obligated to obtain independent compliance certifications to reassure controllers who wish to avail their services. They may also need to take steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing. It is likely that processors located outside the EU may resist the imposition of these new obligations, potentially making it harder for controllers to lawfully appoint their desired processors, and resulting in more complex negotiation of outsourcing agreements.
What will a Processor have to do to be GDPR Compliant?
The processor is forbidden from using personal data it is entrusted with for purposes other than the ones outlined by the data controller. Upon request, the processor has to delete or return all personal data to the controller at the end of the service contract.
It can transfer personal data to a third country only after it receives legal authorization.
It has to obtain written permission from the controller before engaging a sub-contractor and assume full liability for failures of sub-contractors to meet the GDPR.
The processor has to enable and contribute to compliance audits conducted by the controller or a representative of the controller.
If there is data breach, the processor is expected to notify the data controllers without undue delay.
A processor is further required to maintain a record of data processing activities if it qualifies for any of the following criteria:
- Employs 250 or more persons;
- Processes data that is “likely to result in a risk to the rights and freedoms of data subjects;”
- Processes data more than occasionally;
- Processes special categories of data as outlined in Article 9(1); or
- Processes data relating to criminal convictions.
Processors will also need to review existing data processing agreements to ensure that they have met their compliance obligations under the GDPR.
Who is required to appoint a DPO?
The concept of a ‘Data Protection Officer’ (DPO) for organizations processing personal data has been a mandatory requirement in some countries and best practice in others. However, the GDPR will make the appointment of a DPO mandatory for organizations regardless of their size or whether they are processing personal data in their capacity as a controller or a processor in select circumstances.
Under the GDPR (Article 37), there are three main scenarios where the appointment of a DPO by a controller or processor is mandatory:
- The processing is carried out by a public authority;
- The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
- The core activities of the controller or processor consist of processing on a large scale of sensitive data or data relating to criminal convictions / offenses.
‘Core activities’ here refer to a controller or processor’s key operational activities. This does not include supporting activities such as payroll or IT support which are ancillary functions.
Organizations take into account a number of factors when determining if their processing is of ‘large scale’. These include:
a) the number of data subjects concerned;
b) the volume of data or range of data items;
c) the duration of the processing; and
d) the geographical extent of the process
Regular and systematic monitoring includes all forms of tracking and profiling on the internet. It is, however, not restricted to the online environment and could also include offline activity. ‘Regular’ monitoring will mean ongoing or occurring at particular intervals for a particular period; recurring or repeated at fixed times or constantly or periodically taking place. ‘Systematic’ monitoring refers to monitoring that happens according to a system, pre-arranged, organized or methodical, taking place as part of a general plan for data collection, or carried out as part of a strategy.
It is also important to note that if an organization does not meet the requirements in the GDPR, but instead voluntarily decides to appoint a DPO, then the same requirements that apply to mandatory DPOs will still apply. If an organization decides not to appoint a DPO, it is advised to document those reasons clearly.
Qualifications of a Data Protection Officer
While the GDPR does not specify their precise credentials, a data protection officer is expected to have enough professional experience and knowledge of data protection law. This expertise should be proportionate to the type of processing the organization carries out and the level of protection the personal data requires.
Disclaimer: Please note that in this blog, we have provided basic information regarding the GDPR. WSI is not a legal authority for GDPR and can only offer advice on the best practices to follow while carrying out any digital marketing initiative. However, for advice regarding the legal interpretation of this law for your business, please approach a legal or data protection official.