In the run-up to 25 May 2018, it's a good idea for data processors to keep an ear firmly to the ground in terms of upcoming guidance from the Information Commissioner's Office (ICO). New guidance is expected to be published before the end of this year.

How do you know if you are a data processor? You are one if you deal with or store personal data on behalf of another party (the controller) that decides the purposes for which you handle the data. Examples of data processors are:

  • a service provider undertaking outsourced customer services
  • companies responsible for securely disposing of client information
  • cloud providers storing personal data
  • service providers (regardless of the type of services) who have access to personal data owned by the customer through the provision of services

Key new obligations

The most relevant change for data processors under the General Data Protection Regulation (GDPR) is the move from imposing obligations on data controllers to ensure that processors keep data secure to creating directly enforceable obligations on processors to comply with data protection law.

Instead of looking for the data protection clause in a contract, you will have to ensure the security of processing directly under the GDPR. The new obligations include:

  • Maintaining appropriate technical and organisational measures to ensure an appropriate level of security for the personal data. What is an appropriate level of security is for you to assess and depends on the circumstances. Your assessment should take into account the risks of the processing, nature of the data, state of the art as well as costs of implementing the security measures.
  • Appointing a data protection officer if you are a public body or where your data processing includes either systematic and large-scale monitoring of data subjects or large scale processing of sensitive data (such as information about a person's physical or mental health) or data relating to criminal convictions or offences.
  • Ensuring that no one within your control processes personal data except on instructions from the controller.
  • Notifying the controller without undue delay if you become aware of a data breach. If the data breach is serious enough, the controller may have an obligation to report it to the ICO.
  • Obtaining written authorisation from the controller prior to engaging any third party for sub-processing.

New ICO enforcement powers that will apply to processors

Currently data processors are relatively safe from any regulatory repercussions (as opposed to contractual repercussions) following a data breach or any other compliance issue arising from data protection legislation, except for the limited cases where processors may be held directly liable by the ICO (such as unauthorised overseas transfers). In comparison to the current position, the new enforcement powers have teeth.

The old enforcement, assessment and information notices will be replaced by an obligation to assist the ICO on request. The ICO will also have specific investigatory, corrective and advisory powers that will extend to processors, such as the right to enter premises and the right to ban or limit processing. You should also take note of how non-compliance may affect the bottom line, since the ICO will have new powers to impose fines on data processors as well as controllers.

ICO will also have further visibility into processing activities carried out by companies that employ more than 250 people or engage in data processing which is likely to result in a risk to the rights and freedoms of individuals. The latter is an objective assessment which could apply to any size of company. Should you fall into either category, you will have an obligation to maintain records of data processing, including information about types of processing as well as any overseas transfers and a description of the organisational and security measures that you use.

Above we have discussed a couple of areas where as a data processor you are required to assess the level of security measures or the need for record keeping based on their unique circumstances which could be an unwelcome source of uncertainty to most processors. There is no doubt that the assessment carried out by processors will have to be an earnest one with a good paper trail to boot. However the upcoming guidance will be particularly interesting in relation to the more practical requirements that the ICO may be looking for.

Contact our Specialist Compliance and Regulatory Lawyers

MacRoberts' team of data protection specialists can provide expertise and advice to businesses wishing to adopt this proactive approach to compliance preparation. We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.

© MacRoberts 2016

Disclaimer

The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.