You have to feel sorry for data processors. Having only had to worry about contractual liability which they have been able to negotiate, sometimes successfully, GDPR is changing things big time. It makes data processors directly liable for certain non-compliance and their contractual liabilities are significantly increased by virtue of the prescriptive Article 28. On top of that there is now a chain of compliance required. Processors will be contractually bound to ensure their sub-processors enter into substantially similar processing clauses as they have. Despite this, the data processor is still liable to the data controller.

How should processors go about managing this chain of compliance? Should they fix their chain of sub-processing out first so that they don’t over commit themselves in their data controller processing agreements? Or should they sign up to processing clauses with their data controllers and work hard to flow these down? Either route will have timing implications at this stage and neither is a guarantee of success. Relying on third parties to simply sign up to more onerous processing agreements is also not guaranteed.

Most data practioners advise adopting a risk based approach to determine which of your sub-processors you should concentrate your efforts on. I agree that this is a good starting point but if you have a standard processing agreement you need all your sub-processors to sign up to then send it out asap to all of them. The risk based approach helps you decide who to chase the most and who you will possibly negotiate your standard processing agreement with.

I am about to call the ICO SME helpline to understand what it means if you can’t get everyone to sign up or even if you can, what it means if they have signed up but their processes and procedures don’t add up. Watch this space for an update.