In the third installment of Egnyte’s in-depth look at the EU’s General Data Protection Regulation, Kris Lahiri looks at processors and controllers of data and what they need to know.
When it comes to international data transfer there are really two types of people involved, the processors and the controllers. Both have very specific responsibilities with regards to personal data and it is vital to understand the difference between them.
A controller is defined as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
A processor is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
While a controller is heavily involved in how personal data is handled, i.e. identifying and analysing how it should be processed and what actions to take, the processor is actually the one carrying out any action involved with handling the data itself. Oddly enough, under the current Data Protection Directive even though the processor is actually handling the data, all of the legal liability falls on the controller who appointed them.
This is where things are going to dramatically differ under the new GDPR next year.
While controllers will still be responsible for appointing data processors that provide sufficient guarantees to implement appropriate technical and organisational measures to ensure processing meets the requirements of the GDPR, the processors themselves will now be held accountable for actions on personal data as well. Processors will have to approach their jobs in a whole new way since they will now also be subject to legal sanctions for any failure in compliance.
For a company like Egnyte, we previously played the role of data controller AND data processor, meaning that we are used to being held legally accountable for all of the activity around the handling of personal data. Unfortunately there are many companies who only played the role of data processor and did not have to worry about legal sanctions for not maintaining compliance. They only had to answer to their customers, aka the data controllers.
Under the new GDPR ruling, there will be a whole new set of considerations for companies to navigate on both the controller and the processor side. For example, companies will need to understand that:
- Controllers will have to be much more thorough in their selection of who they trust when contracting a data processor, as they need to be able to ensure the processor understands all aspects of compliance and will not make any mistakes when handling the personal data.
- Processors will take on a significantly higher liability when handling data, as they will no longer be subject to potentially violating a contract with a controller but they will also be accountable for personal data themselves and risk severe sanctions handed from the governing body to protect the data owners’ privacy itself.
- Negotiations between controllers and processors will be much more difficult as both sides will want to make sure they are mitigating their liability should there be any mistakes with compliance. This will mean more detailed contracts with more stipulations, resulting in more time and more money spent on legal and compliance.
With this in mind, companies should take the time to review the current relationships with processors and/or controllers and the contracts they have in place. The changes that will be necessary for companies to move forward under the new GDPR will take time to implement, so it is important so have all affairs in order now. Waiting and potentially failing to meet all the requirements under the new GDPR can be costly, with severe penalties.
The following examples are infringements that can cost 2% of global annual turnover or €10M (whichever is higher):
- A controller or controller’s representative fails to maintain a record of processing activities under its responsibility
- A controller and processor fails to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
- A controller and processor faily to ensure that the data protection officer (DPO) is properly and without delay involved with all issues which relate to the protection of personal data
The following examples are a few infringements that can cost 4% of global annual turnover or €20M (whichever is higher):
- A controller fails to be able to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing
- A controller fails to provide information to data subject at the time information is collected from the data subject and/or from any other source
- There is a failure to make legitimate transfers of personal data outside of the EU made pursuant to exemptions or derogations
As a top priority, companies should be proactively identifying, reviewing, and revising (where necessary) their data processing agreements to ensure they are GDPR compliant in all aspects of their business by May 2018. Secondarily companies should be implementing bulletproof processes to enforce this compliance, like protocols for creating complete and clear documentation of their data handling activities and detailed steps to take in the event of a data breach.
Lastly, companies should be prepping for the worst-case scenario, like being caught for any of the aforementioned infringements. They should be considering mechanisms for resolving disputes regarding respective liabilities and how they can positively resolve them if something should ever happen – a doomsday risk analysis if you will.
As we continue to move closer to the transition date to the new GDPR, defining the relationships data controllers, data processors, and the companies they work with will be paramount. As with everything involving this new legislation, the more detail that is provided the better off you will be. Cutting corners or taking a laissez-faire approach in the short-term will only cause more headaches and potential for disaster in the long-term.