Will your clients be the first to ask about your GDPR compliance?
Come 25th may 2018 your existing clients and prospective clients will need to ensure that you as a data processor are GDPR compliant. You in turn have to ensure anyone processing data for you is also GDPR compliant.
Apart from being a legal requirement, there are a number of other reasons to be compliant with the GDPR, retaining existing clients and gaining new ones must be high up on your list.
Article 28 of the GDPR states:
“1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
In other words:
You as the data controller must ensure you only use processors that meet the requirements of the GDPR and you have a suitable contract or other legal means to ensure they are obliged to do so.
You as a data processor will be required by your data controller, or client, to be GDPR compliant and they will need to enforce this by a contract or other legal means.
Non-Compliance could lose you business
It would be reasonable to assume that it will be your larger, potentially more regulated, clients that will be the first to insist on GDPR compliance.
If you are not already compliant or have a credible road map to compliance then you risk losing them to your competitors.
We have seen evidence of this in practice:
Local authorities asking their providers, educational establishments, and housing associations about their compliance.
Law enforcement agencies requesting charities they pass data to are compliant
Our clients looking to their Accountants, IT and payroll providers to be compliant.
Under the GDPR, contract requirements between controllers and processors are broader than those of the DPA and are not just focused on data security. The requirements are such that contracts must demonstrate compliance with all aspects of the GDPR.
Also, under the GDPR, processors now have direct responsibilities and obligations outside of the terms of a contract with a controller. As a data processor you can be held directly responsible for GDPR non-compliance.
Minimum Contract requirements
There are certain minimum contract requirements, detailed in Article 28, which must be included in any contract between a data controller and a data processor.
The GDPR does allow for standard contract clauses to be used that may be provided by the ICO or the European commission, watch this space.
We hope you found this post both interesting and useful, for further information the ICO has published an excellent guidance paper regarding Contacts and Liabilities under the GDPR:
ICO GDPR guidance: Contracts and liabilities between controllers and processors
The information provided in this post is for general information only and is not intended to provide legal advice.
© GDPR Auditing 2017.