Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

On of the key failings of the EU legislation is the apparent lack of standard EU approved clauses. They will arrive – at some point. For now, many vendors both inside and external to the EU will need to manage as best they can. We have covered the main contractual relationships required between processors and controllers. However, in brief they are:

• Controllers must only use processors which are able to guarantee that they will meet the requirements of the GDPR and protect the rights of data subjects.
• Controllers must ensure that they put a contract in place which meets the requirements set out in the available guidance.
• They must provide documented instructions for the processor to follow.
• Controllers remain directly liable for compliance with all aspects of the GDPR, and for demonstrating that compliance. If this isn’t achieved, then they may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures

One of the major contractual changes between Controller–Processor is going to be the need to keep processing records. Given the nature of the change, if the provider is outside of the European area, this would be an important contractual requirement. It is also an important record of activity if a breach or error occurs.

It seems logical that most companies in the data business would see keeping records of processing activity as a normal standard business practice. Not so it seems.

For analytics (or any procurement platform provider), it may well be worth keeping some form of record of processing activity — if this is not currently a part of operational management. This may cover elements like data refresh receipt, refresh activity, new report generation and any other activity that takes place on the data. Remember, it would make sense to have one processing record for every processing requirement made by a controller. What would this take? A simple spreadsheet entry in most cases.

This may seem onerous, but if suppliers are anonymising or removing data from the transactions records, the who, what, why, where and when of processing maintained in records will allow tracking and follow up of errors if a breach occurs. It is an overhead – but is the basis of managing data more carefully and being able to cope with an audit.
However, as we will explain in a later post, the bureaucracy of the EU knows no bounds. We will introduce the concept of the DPIA, (Data Protection Impact Assessment) shortly.

The DPIA is an interesting concept — quite what anyone would do with these assessments at Supervisory Bodies (given the likely volumes) has to be questionable.

However, prior to that, we have to cover the thorny subject of consents.

Thanks, Tony.