It will not have escaped organisations’ attention that data protection laws have undergone significant reforms lately. The GDPR came into force on 25 May 2018, however we also have a new Data Protection Act 2018 (DPA 2018) which is now in force, thanks to some last-minute prompt progress through Parliament.
A lot of media attention centred around how the new laws enhance the rights of individuals and the potential fines organisations could face for data breaches (of up to the greater of €20 million (the DPA 2018 provides that the conversion rate for sterling will be set based on the date the penalty notice is issued) or 4% of annual global turnover). Of course, the new laws also change the way businesses may interact with each other when there is likely to be a sharing of personal data.
The DPA 2018’s overview makes it clear that most personal data processing is subject to the GDPR and applies domestic rules for types of processing not covered in the GDPR (for example immigration).
Commercial contracts
The GDPR and DPA 2018 set out that where a data controller engages a data processor (which, for example may arise if organisations have external third-party providers for payroll), it should only do so if the processor has provided sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of the GDPR.
The GDPR and DPA 2018 state that processing by a processor should be governed by a binding contract and that this contract should include:
Details of:
- The subject-matter and duration of the processing;
- The nature and purpose of the processing;
- The type of personal data and categories of data subjects involved; and
- The obligations and rights of the controller and processor.
The following obligations on the processor:
- To only process the personal data on documented instructions from the controller. This includes transfers internationally (save where required by law in which case the processor should inform the controller of the legal requirement before processing, unless that law prohibits such a communication);
- To ensure that those authorised to process the data have committed themselves to confidentiality or have a statutory duty of confidentiality;
- To implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
- Not to appoint another processor without prior specific or general written authorisation of the controller. In the latter case, the processor must inform the controller of any addition/replacement of other processors, thereby giving the controller the opportunity to object to such changes;
- To assist the controller (taking into account the nature of the processing) by appropriate technical and organisational measures, insofar as is possible, for the fulfilment of the controller’s obligations to respond to requests exercising data subjects’ rights;
- To assist the data controller (taking into account the nature of the processing and information available to the processor) in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- At the choice of the controller, to return to the controller or delete all personal data used for the provision of the service unless required by law to keep a copy; and
- To make available to the controller all information necessary to demonstrate compliance with the obligations and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. The processor must inform the controller if, in its opinion, an instruction infringes the regulations or other law.