GDPR Things for processors processing customer data

GDPR for Processors: Four things you should know (in six minutes)

The General Data Protection Regulation (GDPR) brings big changes for organisations processing customer data. To comply with the new legislation, it is crucial you understand where your responsibilities lie with the new legislation. In this blog, we present the four most important things a data processor should know about the GDPR.

1. The GDPR is a regulation that (also) applies to processors

One of the seemingly small, but very important differences between the GDPR and the Data Protection Directive, is that the GDPR is a regulation instead of a directive. The regulation status of the GDPR means it exerts a legally binding force on all member states. Concretely, this means the regulation applies the same way across all EU Member states.

The other difference between the Data Protection Directive and the GDPR, is that the GDPR places direct obligations on data processors for the first time. As data processor, you will be responsible for ensuring compliance, or risk being held liable by controller or data subjects and being fined by the authorities. Since controllers will be looking for compliant processors, demonstrating this compliance is also key to continue working with controllers at all!

2. The GDPR augments the rights of the subject

As data processor, you are generally less affected by the rights of the subject than data controllers. However, it is still important to understand the rights of the subject under the GDPR, as you will be expected to assist your controllers in respecting them in whatever way possible.

Under the GDPR, data subjects have the right to receive a copy of data being stored about them and can request data to be rectified. They can also object to the processing of their data and withdraw their consent at any time. Work with your controllers to streamline the procedures of removing and rectifying data or dealing with withdrawn consent to help them respect subject rights.

3. GDPR-compliance requires focus on some key areas

Many overviews of the GDPR are very extensive, including aspects of the regulation that might not be relevant for you as a data processor. There are, however, plenty of important changes you might need to implement as a data processor. We name five of the steps most data processors will have to take on the road to compliance. An extended list of actions can be found in our whitepaper.

  • In many cases you’ll have to designate a data protection officer (DPO) and communicate their contact details to the supervisory body. Even when not required by the GDPR, appointing a DPO is a good idea. This data protection officer is involved in all issues relating to the protection of personal data and holds an independent position in the company.
  • Ensure that no processing takes place on personal data except on the controller’s instructions. Make sure that this is common knowledge across your company, to prevent any natural person working for the company from doing so unknowingly. Additionally, ensure you do not engage with another processor without authorisation from the data controller.
  • When working with a controller, you should enter into written contract with the data controller to specify processing activities and duration. An example is entering into a “Data Processing Agreement” (DPA). Any sub-processors will be subject to the same contractual data protection obligations as between the first data processor and data controller.
  • As processor, you should provide sufficient guarantees to controllers that appropriate technical and organisational measures for GDPR compliance are implemented. Additionally, processors should ensure a level of security appropriate to the risk posed by data processing.
  • If you employ more than 250 people, you are required to maintain written records of processing activities. These records must contain specific information (specified in the GDPR) and be made available to supervisory authorities.

4. Non-compliance can have serious repercussions

We talked before about how non-compliance can have serious repercussions for data processors. Under the GDPR data subjects have the right to lodge complaints about data processing and, crucially, can hold the processor liable. Specifically, you can be held liable for the damage caused by processing where you have not complied with the GDPR obligations, or where you have acted contrary to the lawful instructions of your data controller. Finally, just like controllers, fines up to €20,000,000 or up to 4% of global turnover can be imposed on non-compliant organisations.

The GDPR is a complex legislation, and this blog by no means offers an exhaustive overview of its content. Cooperation between your legal department, IT department, upper management and outside professionals is key to getting to grips with the GDPR in time. At Datastreams.io we are happy to do our part, providing our Data Stream Manager and Consent manager. These solutions allow you to manage data streams and consent in your company in a comprehensive and structured way, so you can get one step closer to GDPR-compliance.

GDPR Things  for controllers collecting and processing customer data

GDPR for Controllers: Six things you should know (in six minutes)

The General Data Protection Regulation (GDPR) brings big changes for businesses collecting or processing customer data. To comply with the new legislation, it is crucial you understand where your responsibilities lie with the new legislation. In this blog, we present the six most important things a data controller should know about the GDPR.

1. The GDPR is a regulation that (also) applies to processors

One of the seemingly innocuous, but very important differences between the GDPR and the privacy directive, is that the GDPR is a regulation instead of a directive. The regulation status of the GDPR means it exerts a legally binding force on all member states. Concretely, this means the regulation applies the same way across all EU Member states.

The other difference between the privacy directive and the GDPR, is that the GDPR holds processors responsible for processing data in a compliant way. Data processors are required to demonstrate compliance to GDPR regulation to avoid fines. Additionally, data controllers are only allowed to work with processors who provide sufficient guarantees towards doing so. This means your processors will likely be more motivated towards ensuring compliant processing, but it also highlights the importance of carefully selecting your processors.

2. Compliance with GDPR-principles must be demonstrated

The GDPR contains several important principles that you need to understand and incorporate into your own business practices. Crucially, you will also need to actively demonstrate your compliance with these principles. The first set of principles concerns the data protection principles. These principles ensure processing is fair and transparent and that no unnecessary data is collected, processed or stored. Additionally, you’ll need to demonstrate lawful processing. This means that processing has to be based on one of the grounds for processing, such as consent or contracts. If you use consent as your processing base, you need to ensure it is through a freely given, specific, informed and unambiguous indication of the data subject’s wishes. Finally, you must make reasonable efforts to verify parental consent.

3. The GDPR augments the rights of the subject

One of the reasons why the GDPR is a good regulation for data subjects, is that it improves upon their rights. It’s important that data controllers understand what rights data subjects have and ensure these rights are respected.

Under the GDPR, data subjects have the right to receive a copy of data being stored about them and can request data to be rectified or erased. They can also object to the processing of their data and withdraw their consent at any time. These are just a few of the rights a subject has, but they are enough to show the amount of power data subjects have over their data after you’ve collected it. Make sure you communicate these rights to your customers and respect them at all times for compliant processing and a good customer relationship.

4. The GDPR is also about communication

The GDPR is not just about how you handle data, it’s also about how you deal with people. The regulation requires you to communicate with your data subjects in a concise and transparent manner regarding your data collection activities. Additionally, you need to provide customers with information such as about your company, processing purposes and contact details when collecting their data. Also, make sure you communicate requested information and any rectification or erasure of personal data to your customers. Finally, be prepared to inform your data subjects without undue delay of a personal data breach.

5. GDPR-compliance requires focus on some key areas

The GDPR is a broad legislation, touching upon many different areas of data processing. Exactly which changes you have to make depends on the structure of your company and a full list of possible actions would be quite long. We have, however, compiled five key areas that you should focus on. See our whitepaper for an extended list of possible actions.

  • In many cases you’ll have to Designate a Data Protection Officer and communicate their contact details to the supervisory body. Even when not required by the GDPR, appointing a DPO is a good idea. This data protection officer is involved in all issues relating to the protection of personal data and holds an independent position in the company.
  • Implement appropriate technical and organisational measures to ensure appropriate security and demonstrate processing is in line with the GDPR regulations. You should also become familiar with the principles of data protection by design and default, implementing data protection principles in every part of handling customer data. Crucially, as a controller you should make sure your processors do so as well.
  • If you employ more than 250 people, you are required to maintain written records of processing activities. These records must contain specific information (specified in the GDPR) and be made available to supervisory authorities.
  • When working with a processor, make sure to enter into a written contract to specify processing activities and duration. Ensure this contract specifies important GDPR obligations, such as that processors are may only act on our instructions.
  • carry out a Data Protection Impact Assessment (DPIA) prior to carrying out potentially high-risk processing, and seek the advice of its DPO while doing so. If you don’t take measures to mitigate the risk, supervisory authorities should be consulted.

6. Non-compliance can have serious repercussions

We don’t want to scare you, but non-compliance with the GDPR can turn out to pose a big threat to your business. Under the GDPR data subjects have the right to lodge complaints about your data processing. Additionally, controllers are liable for damages caused by non-compliant processing and data subjects might have the right to receive compensation. Finally, fines of up to €20,000,000 or up to 4% of global turnover can be given to non-compliant organisations.

The GDPR is a complex legislation, and this blog by no means offers an exhaustive overview of its content. Cooperation between your legal department, IT department, upper management and outside professionals is key to getting to grips with the GDPR in time. At Datastreams.io we are happy to do our part, providing our Data Stream Manager and Consent manager. These solutions allow you to manage data streams and consent in your company in a comprehensive and structured way, so you can get one step closer to GDPR-compliance.