Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at email@example.com.
In the last post, we looked at some of the conditions and responsibilities that processors have regarding personal data that is exported outside of the European Union – we will continue with that theme and then move on to start examining the contractual elements. There’s a lot to digest, even if we are breaking this series into digestible chunks — so grab some coffee first if you must.
The GDPR is quite clear on the responsibilities of processors – in addition to the responsibilities itemised in my last post, they must:
- assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR – this means that a processor may have to help identify and report any data that is part of a data subject access request (DSAR);
- Data Subject Access Requests will be the focus of a separate post – DSARs are likely to create a lot of overhead for some types of company;
- assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- delete or return all personal data to the controller as requested at the end of the contract;
- submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR – or another data protection law of the EU or a member state.
Be aware that each member state within the EU may have local country specific conditions. You would be well advised to check especially if you operate across multiple EU member states.
For example, the UK ICO (Information Commissioners Office) warns that processors should be aware that:
- they may be subject to investigative and corrective powers of supervisory authorities (such as the ICO) under Article 58 of the GDPR;
- if they fail to meet their obligations, they may be subject to an administrative fine under Article 83 of the GDPR;
- if they fail to meet their GDPR obligations they may be subject to a penalty under Article 84 of the GDPR; and
- if they fail to meet their GDPR obligations they may have to pay compensation under Article 82 of the GDPR.
It’s a lot of potential fails – and a lot of potential penalties.
How enforceable this is for non-EU suppliers has yet to be attempted – but there is a high probability that an EU test case will emerge quickly post GDPR implementation. Like most commercial relationships, it will also revolve around the notion of a contract.
The ICO makes two points on this with its own data processing contracts:
- that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR; and
- the contract will enforce any indemnity that has been agreed (upon).
We will look at the contractual obligations in the next post. We cannot promise that the guidance gets any clearer from any other Supervisory Bodies across the EU.