06 July 2018
It will not have escaped organisations’ attention that data protection laws have undergone significant reforms lately. The GDPR came into force on 25 May 2018, however we also have a new Data Protection Act 2018 (DPA 2018) which is now in force, thanks to some last-minute prompt progress through Parliament.
A lot of media attention centred around how the new laws enhance the rights of individuals and the potential fines organisations could face for data breaches (of up to the greater of €20 million (the DPA 2018 provides that the conversion rate for sterling will be set based on the date the penalty notice is issued) or 4% of annual global turnover). Of course, the new laws also change the way businesses may interact with each other when there is likely to be a sharing of personal data.
The DPA 2018’s overview makes it clear that most personal data processing is subject to the GDPR and applies domestic rules for types of processing not covered in the GDPR (for example immigration).
The GDPR and DPA 2018 set out that where a data controller engages a data processor (which, for example may arise if organisations have external third-party providers for payroll), it should only do so if the processor has provided sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of the GDPR.
The GDPR and DPA 2018 state that processing by a processor should be governed by a binding contract and that this contract should include:
If another processor is engaged by the initial processor it will need to make sure similar provisions are in its contract and will be liable for any breaches by the subsequent processor.
As a matter of good practice, controllers should include wording in a contract to stress that nothing in the contract relieves the processor of its own obligations under data protection legislation.
Organisations may also want clauses in their contracts with other controllers relating to GDPR obligations, although the GDPR and DPA 2018 do not strictly require this. However, if the organisations are in fact considered ‘joint controllers’ they do need to have transparent arrangements in place, the essence of which should be made available to the relevant data subjects.
The GDPR and DPA 2018 tighten the restrictions on transferring data outside the EU. Generally, under the GDPR and DPA 2018, data may not be transferred outside the EU unless:
It should also be noted that there may be circumstances where an EU-based data controller allows access to its IT systems for specific purposes to, for example, an IT service-provider based outside the EU or a parent company. In providing such access, a data controller has an overriding GDPR obligation in relation to data security, so it will need to assess the extent to which the granting of such access may lead to a risk of unauthorised or unlawful processing, accidental loss, destruction or damage, and, to the extent necessary, put in place appropriate “technical or organisational security measures” by way of mitigation.
It is possible also that the IT service-provider/parent company in this example is carrying out processing (for example, deletion of data can be done remotely without an actual transfer of data), in which case there will be an obligation both to inform the relevant data subjects about this access and the nature and purposes of this processing, for example, in a privacy notice, and for the controller to enter into a formal contract with the processor imposing certain obligations on the processor which are as specified in the GDPR and set out above.
Further, particularly in the case of a parent company, the party with access to the IT systems may well be a controller in their own right if they, for example, use this data for their own purposes (such as to make decisions about the global business). They will, therefore, need to consider their own obligations under the GDPR if they are caught by its provisions (for example, if they monitor, or provide goods and services to, data subjects in the EU). Unfortunately, what constitutes monitoring under the GDPR is (perhaps purposefully) unclear.
Audit and compliance
If you thought getting compliant by 25th May 2018 was the end of it, then you were wrong. In the words of the ICO, compliance with the GDPR is a ‘long haul journey’.
Organisations need to continue to review their processes, ensure they stay alert to any new processing activities they carry out (which have not already been mapped and referred to in privacy notices) and conduct regular audits to ensure the efficiency of their systems.
Processors should also consider how they might deal with an audit request from data controllers which they will be contractually bound to assist with (as set out above).