One of the key changes in the GDPR is that Data Processors are directly responsible to the Information Commissioner for the first time.
Data Processors need to write it down
First of all they must maintain a record of processing activities carried out on behalf of each controller. For smaller companies this will be a massive headache, meaning a great increase in administration costs. Some of these will obviously have to be passed on to the Data Controller. Furthermore, they will also have to carry out a risk analysis before carrying out any processing. (If this is a repetitive task, it may only need to be written out once).
Provisions for cross border transfers will now also apply to processors and if you are outside the UK Binding Corporate Rules (BCRs) will come into play.
In addition, processors may also need to appoint a data protection officer where required . Similarly, if they are outside the UK they may also need to appoint a representative in certain circumstances.
Finally, they must notify the data controller within 72 hours of a personal data breach occurring. This will obviously be very hard, Most companies aren’t actually aware that they have had their computers attacked until well after the event. Normally their first inkling is when they are approached by the hackers . This might not take place for several weeks.
Under the previous data protection acts, the Data Processor was implicitly liable for the work carried out, they were not held directly accountable. This was the responsibility of the Data Owner. However, under GDPR the Data Processor could also be fined if they break the rules.
The new status of data processors will likely impact how data protection matters are addressed in contracts. Companies should review their agreements with third party suppliers.
For frank impartial advice on all matters relating to GDPR or for a introductory meeting. Please contact us today