GDPR: How important is the role of data processors and compliance officers?
With the introduction of the GDPR in May 2018, businesses operating in Europe will have to appoint additional data processors and compliance officers to cope with the changes.
As of May 2018, the General Data Protection Regulation (GDPR) will greatly increase the accountability of data processors and compliance officers, meaning that their roles will become more important than ever before.
For the first time in data processing history, professionals in these roles will have a direct obligation to comply with certain data protection requirements that previously only applied to data controllers.
The GDPR will create a greater balance between the responsibilities placed on data controllers and data processors. This will dramatically increase the risk profile for entities - like cloud and data centre providers - that act as data processors.
How will this impact businesses?
For every business that deals with the processing of data, this change will not only have an effect on processors, but also the controllers that engage them.
With the GDPR, it is likely that there will be more attention given to negotiating data processing agreements. This is because processors will seek to ensure that:
- Increased costs of compliance are reflected in the cost of their services
- The scope of the controller’s instructions are clear
- The increased risks are appropriately allocated between the parties.
Companies should also consider reviewing their existing data processing agreements to ensure they have met the correct compliance obligations under the GDPR.
How is this different from current procedures?
Under current law, only the controller is held liable for data protection compliance, not the processor. However, under the GDPR, there will be a direct statutory obligation on data processors so that they may be subject to direct enforcement by supervisory authorities.
In addition, they could face serious fines for non-compliance and compensation claims by data subjects for any damage caused by breaching the GDPR.
What are the obligations that apply to data processors?
Once the GDPR is enforced, there are a series of obligations that will apply to data processors, including:
- Data Processing Agreements - Personal data can only be processed on behalf of the controller when there is a written contract in place that imposes mandatory terms on the data processor.
- Sub-processors - processors can not engage a sub-processor without the prior written authorisation of the controller.
- Controller instructions - personal data can only be processed in accordance with the instructions of the controller.
- Accountability - records must be maintained of data processing activities and they must be available to the supervisory authority on request.
- Co-operation - processors must co-operate with the supervisory authority.
- Data security - appropriate security measures must be taken and controllers must be informed of any data breaches suffered.
- Data Protection Officers - processors must, in specified circumstances, designate a data protection officer.
- Cross-border transfers - restrictions regarding cross-border transfers must be compliant.
- Sanctions - Should processors fail to comply, they risk fines of up to four per cent of global annual turnover.
Ensure your business is prepared for the upcoming GDPR changes by signing up to our free overview course. Learn more.