Now that GDPR has been approved, companies need to start work on preparing their governance, employees and technology for the new legislation.
Among those organisations most affected by GDPR are Data Processors. Data processors process data on behalf of, and under the instruction of their data controller. Now data processors must comply with the statutory requirements of GDPR and, for the first time, can be held accountable.
Failure to meet the requirements of GDPR carries significant sanctions, up to 4% of global turnover OR 20 million euros – whichever is the greater. In addition, processors still run the risk that, in the event of non-compliance or breach, their data controller can sue for breach of contract – all eye-wateringly expensive to the point of breaking the business.
So it’s a new world for data processors, who need to take steps immediately to protect themselves against compliance and security risk. For example:
- They must have appropriate technical and organisational measures to ensure security of the data they are processing.
- They must maintain written records relating to all personal data processing carried out for each of its data controllers
- They may no longer appoint new or alternate sub-processors without the authorisation of the data controller
- They must cooperate with the relevant supervisory authority
- They must notify the data controller without undue delay in the event of a data breach
- They must comply with GDPR in relation to cross-border data transfers
So what kind of organisation does this affect? Data processors include a multitude of businesses from call centres, to data providers, to data service providers – cleansing, hygiene, analysis – to cloud providers and technology vendors.
Mandated contract clauses have been specified in detail under GDPR, so all existing and future contracts will need review and are likely to need revision as negotiations between controllers and processors become ever tougher as each party tries to tie down the areas of liability and responsibility.
There is an argument that the costs of processing may increase, which will have a negative impact for data controllers. But there’s no doubt – data processors are now firmly in a new world of liability and penalty.