GDPR – Controller or Processor – What to do now?
The General Data Protection Regulation (GDPR) applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the Data Protection Act 1998 (DPA) – the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
What must data controllers do?
- Comply with the key principles – Data controllers are responsible for, and must be able to demonstrate compliance with, the principles relating to processing of personal data. These are: lawfulness, fairness and transparency, data minimisation, accuracy, storage limitation and integrity, and confidentiality of personal data.
- Ensure lawful processing – A data controller must implement appropriate technical and organisational measures to ensure, and to be able to demonstrate, that processing is performed in accordance with the regulation. To do this the data controller must take into account the nature, scope, context and purposes of processing personal data as well as the risks to the rights and freedoms of the data subjects. Examples of such measures may be to allocate responsibilities for data protection by appointing a Data Protection Office (DPO), preparing data protection impact assessments and reviewing these measures regularly.
- Joint data controllers – If several organisations share the responsibility for controlling personal data, the GDPR allows for joint data controllers. The joint data controllers must determine their respective responsibilities by written agreement (contract) and provide the content of this agreement to the data subjects.
What must data processors do?
- Data processing agreements – Personal data may only be processed on behalf of a data controller where a written contract is in place which imposes a number of mandatory terms on the data processor, as set out in the GDPR.
- Data controller instructions – Personal data may only be processed in accordance with the instructions of the data controller.
- Accountability – Data processors must maintain records of data processing activities and make these available to the supervisory authority on request (in the UK this will be the Information Commissioner’s Office).
- Data security – Put appropriate security measures in place and inform the data controller of any data breaches.
- Data Protection Officers – In specified circumstances, a data processor may have to appoint a DPO.
- Sub-contracting – A sub-contractor may only be appointed by a data processor with the prior written authorisation of the data controller and an appropriate written contract must be in place.
What should both data controllers and data processors be doing now?
- Identify, review and, where necessary, revise their data processing agreements to ensure that they are GDPR-compliant. Any new agreements should be agreed in accordance with the requirements of the GDPR.
- Consider mechanisms for resolving disputes regarding respective liabilities to settle compensation claims, given the new provision allowing for the joint liability of both data controllers and data processors for data protection breaches.
- Ensure that you have clear documentation and recording procedures in place to prove that you meet the required standards. Implement measures to prepare and maintain records of your organisation’s processing activities.
GDPR Preparedness Toolkit Seminar
This 2 hour seminar will help you, as you take your first steps towards compliance by sharing practical insights about implementing a data security based approach in line with the Regulation. You will learn about:
- Why you have to comply with the GDPR and what might happen if you don’t.
- The GDPR’s direct effect on your business and the transition timelines.
- The steps to take in preparing for compliance.
- The technical and organisational measures your business will need to adopt to comply with the Regulation.
- A key assessment toolkit you can use to help you to achieve compliance.
The seminar will be held at The Birch Hotel, Heywood with easy access to the M60, M62 and M66 on:
- Wednesday, 25th October 2017, 14:00 to 16:15
- Wednesday, 29th November 2017, 14:00 to 16:15
Standard tickets are £25.00
Early Bird Discount tickets are £15.00 (available only if you book within 14 days of the seminar)
Contact us on 0345 319 4887 to book or book online with Eventbrite.