General Data Protection Regulations: October

<< SEPTEMBER EDITIONNOVEMBER EDITION >>

25th October 2017
Derby Office Icon


Often, businesses do not carry out all of their personal data processing activities “in- house”. Instead, they may appoint third parties to provide certain processing activities on their behalf (and subject to their instructions). Such third parties are known as “data processors” under data protection law.

Examples of organisations which provide services to other businesses as data processors are companies providing cloud storage, IT services, HR functions, marketing services and payroll services.

It is already the case under the existing EU data protection regime, that contracts with data processors must meet certain legal requirements. However, under the GDPR, additional obligations will apply when you appoint a data processor.

Under the GDPR, the following requirements will apply:

  • Before appointing a data processor, you will need to carry out appropriate due diligence and satisfy yourself that the data processor will be able to meet the requirements of the GDPR.
  • You will need to enter into a written contract with the data processor.
  • Your contract with the data processor will need to contain various contract terms, which are specified in the GDPR.

The above requirements will apply with immediate effect from 25th May 2018 to both new processing contracts and your existing contracts with data processors. You will therefore need to:

  • Review and amend any existing contracts with data processors, that will still be in force (and still have some time left to run) when the GDPR becomes effective in May next year, to ensure that the new GDPR requirements are incorporated.
  • Ensure that any future agreements with data processors meet the new requirements. This should apply to any contracts that you enter into with data processors from now on (even if you suspend the application of the GDPR compliant provisions until 23rd May next year).

It is also important to note that, under the GDPR, data processors (as well as data controllers) will be subject to certain statutory obligations. This is a significant change, as it means that enforcement action can be taken by regulatory bodies (such as the ICO) against data processors, that data processors can be fined for breach of the GDPR and that they can be sued for compensation by the individuals whose data they process. At present, the obligations and responsibilities of data processors are limited to those imposed on them under their contractual arrangements.

The change means that data processors may want to negotiate (or re-negotiate) their contracts with you so that they can “pass back” liability to you if they are fined or incur damages as a result of undertaking processing on your behalf. As you can imagine, this is an area where negotiations may well become quite heated.

We’ll be back in touch on 23rd November with the next action point. If you have any questions or queries in the meantime, please get in touch with one of our Information Law team members.

If you would like any further information about the GDPR and how it might affect your organisation, please download our Geldards Guide or if you would like to discuss how Geldards can help with training on the GDPR, please do not hesitate to contact our Information Law Team.

RELATED:INFORMATION LAW >>GELDARDS GUIDE TO GDPR >> EMPLOYMENT >>


MORE FROM THE ADVICE CENTRE

Blogs

Cyber-Security Issues &amp;&#160;Increased Obligations under the GDPR
15/02/2017
The National Cyber Security Centre (NCSC) opened this week and is promised to be the “authoritative voice on information security in the UK”.
more...

Publications

Geldards Guide to General Data Protection Regulations (GDPR)
27/01/2017
The General Data Protection Regulation (‘GDPR’) is the new EU data protection framework replacing the current Data Protection Directive implemented in the UK by the Data Protection Act 1998.
more...

PARTNER

Lowri Phillips

LOWRI PHILLIPS

Partner, Cardiff

+44 (0)29 2039 1758
email
more...

HEAD OF KNOWLEDGE MANAGEMENT

Hayley Lewis

HAYLEY LEWIS

Head of Knowledge Management, Cardiff

+44 (0)29 2039 1785
email
more...

PROFESSIONAL SUPPORT LAWYER

Helen Snow

HELEN SNOW

Professional Support Lawyer, Cardiff

+44 (0)29 2039 1497
email
more...