Month: February 2018

You have to feel sorry for data processors. Having only had to worry about contractual liability which they have been able to negotiate, sometimes successfully, GDPR is changing things big time. It makes data processors directly liable for certain non-compliance and their contractual liabilities are significantly increased by virtue of the prescriptive Article 28. On top of that there is now a chain of compliance required. Processors will be contractually bound to ensure their sub-processors enter into substantially similar processing clauses as they have. Despite this, the data processor is still liable to the data controller.

How should processors go about managing this chain of compliance? Should they fix their chain of sub-processing out first so that they don’t over commit themselves in their data controller processing agreements? Or should they sign up to processing clauses with their data controllers and work hard to flow these down? Either route will have timing implications at this stage and neither is a guarantee of success. Relying on third parties to simply sign up to more onerous processing agreements is also not guaranteed.

Most data practioners advise adopting a risk based approach to determine which of your sub-processors you should concentrate your efforts on. I agree that this is a good starting point but if you have a standard processing agreement you need all your sub-processors to sign up to then send it out asap to all of them. The risk based approach helps you decide who to chase the most and who you will possibly negotiate your standard processing agreement with.

I am about to call the ICO SME helpline to understand what it means if you can’t get everyone to sign up or even if you can, what it means if they have signed up but their processes and procedures don’t add up. Watch this space for an update.

The serious countdown to 25th May will soon start and more and more organisations are realising that GDPR compliance is the tip of the iceberg.

What do I mean by that? Well, the Regulations itself is lengthy but fairly straightforward. Yes, it expands existing data protection responsibilities including making data processors liable in their own right. Yes, it grants greater rights to data subjects to ensure that they know what their personal data is being used for, by whom and where. And yes, it has potentially significant fines but the ICO has stated and continues to state that any penalties they will impose will be proportionate. All of these require changes to contracts, policies and procedures or if not already in place, the creation of some.

What I really mean is that in undertaking probably the biggest personal data due diligence exercise an organisation has ever undertaken, it has probably uncovered all sorts of other gaps and failings that have nothing to do with processing personal data but  probably need fixing as part of achieving GDPR compliance.

I also mean that achieving GDPR compliance, whether this is at midnight on the 24th May this year or at some point later, is only the start of the journey. GDPR compliance is an ongoing requirement. DPIAs will need to become standard procedure and the process to undertake one embedded in standard operating practice. Breach notification using the ICO’s new telephone hotline will also become part of life for some organisations.

Here’s to data protection expertise becoming standard.

Roll on the next phase. E-privacy Regulation – where are you?