GDPR for Processors: Four things you should know (in six minutes)
The General Data Protection Regulation (GDPR) brings big changes for organisations processing customer data. To comply with the new legislation, it is crucial you understand where your responsibilities lie with the new legislation. In this blog, we present the four most important things a data processor should know about the GDPR. You can find our article for controllers [here]. Refer to the table below to determine whether you are a data controller or a data processor.
This blog is a shortened version of our whitepaper ‘GDPR for processors in ten minutes’. If you want a more detailed guide in addressing the GDPR, be sure to download it at our library.
1. The GDPR is a regulation that (also) applies to processors
One of the seemingly small, but very important differences between the GDPR and the Data Protection Directive, is that the GDPR is a regulation instead of a directive. The regulation status of the GDPR means it exerts a legally binding force on all member states. Concretely, this means the regulation applies the same way across all EU Member states.
The other difference between the Data Protection Directive and the GDPR, is that the GDPR places direct obligations on data processors for the first time. As data processor, you will be responsible for ensuring compliance, or risk being held liable by controller or data subjects and being fined by the authorities. Since controllers will be looking for compliant processors, demonstrating this compliance is also key to continue working with controllers at all!
2. The GDPR augments the rights of the subject
As data processor, you are generally less affected by the rights of the subject than data controllers. However, it is still important to understand the rights of the subject under the GDPR, as you will be expected to assist your controllers in respecting them in whatever way possible.
Under the GDPR, data subjects have the right to receive a copy of data being stored about them and can request data to be rectified. They can also object to the processing of their data and withdraw their consent at any time. Work with your controllers to streamline the procedures of removing and rectifying data or dealing with withdrawn consent to help them respect subject rights.
3. GDPR-compliance requires focus on some key areas
Many overviews of the GDPR are very extensive, including aspects of the regulation that might not be relevant for you as a data processor. There are, however, plenty of important changes you might need to implement as a data processor. We name five of the steps most data processors will have to take on the road to compliance. An extended list of actions can be found in our whitepaper.
- In many cases you’ll have to designate a data protection officer (DPO) and communicate their contact details to the supervisory body. Even when not required by the GDPR, appointing a DPO is a good idea. This data protection officer is involved in all issues relating to the protection of personal data and holds an independent position in the company.
- Ensure that no processing takes place on personal data except on the controller’s instructions. Make sure that this is common knowledge across your company, to prevent any natural person working for the company from doing so unknowingly. Additionally, ensure you do not engage with another processor without authorisation from the data controller.
- When working with a controller, you should enter into written contract with the data controller to specify processing activities and duration. An example is entering into a “Data Processing Agreement” (DPA). Any sub-processors will be subject to the same contractual data protection obligations as between the first data processor and data controller.
- As processor, you should provide sufficient guarantees to controllers that appropriate technical and organisational measures for GDPR compliance are implemented. Additionally, processors should ensure a level of security appropriate to the risk posed by data processing.
- If you employ more than 250 people, you are required to maintain written records of processing activities. These records must contain specific information (specified in the GDPR) and be made available to supervisory authorities.
4. Non-compliance can have serious repercussions
We talked before about how non-compliance can have serious repercussions for data processors. Under the GDPR data subjects have the right to lodge complaints about data processing and, crucially, can hold the processor liable. Specifically, you can be held liable for the damage caused by processing where you have not complied with the GDPR obligations, or where you have acted contrary to the lawful instructions of your data controller. Finally, just like controllers, fines up to €20,000,000 or up to 4% of global turnover can be imposed on non-compliant organisations.
The GDPR is a complex legislation, and this blog by no means offers an exhaustive overview of its content. Cooperation between your legal department, IT department, upper management and outside professionals is key to getting to grips with the GDPR in time. At Datastreams.io we are happy to do our part, providing our Data Stream Manager and Consent manager. These solutions allow you to manage data streams and consent in your company in a comprehensive and structured way, so you can get one step closer to GDPR-compliance.