Data processing converts raw data into something usable and valuable. The conversion is a process using a predefined operation carried out manually or automatically.
If you use programs like Apache Hadoop or Apache Spark to sort or define data, then you're engaging in what the law describes as data processing.
The newly implemented GDPR regulations dedicate plenty of space - the whole of Chapter 4 - to new and existing requirements for data controllers and data processors. Data processors receive new responsibilities and liabilities when they process data from European citizens
While the 1995 Data Protection Directive already bound you to a set of measures, the GDPR is much more comprehensive in scope, and many of the obligations you see point directly at data processors.
Data processors accustomed to worrying solely about security requirements now have far more responsibility.
What's changed and what are the new requirements for data processors?
What is a Data Processor?
As defined by Article 4 of the GDPR, a data processor is a person, authority, or body that processes data for a data controller.
Data processing refers to a wide range of operations and applications of personal data either manually or using an automated process.
- Disclosure by transmission
The European Commission provides a few examples of these activities:
Data Processor Contracts: Playing by the Rules
As a data processor, you're required to process data according to the documented instructions of the controller, who also has a long list of privacy obligations. These requirements are laid out in a mandatory contract.
Although much of the emphasis on accountability lies squarely on the shoulders of the controller, data processors also have their own obligations to fulfill outside of their contract and the general rules applying to data services.
As a data processor, you process data under the authority of the controller who created the contract. The law mandates that several stipulations come with a GDPR-compliant contract:
- Only follow the documented instructions provided by the controller
- Ensure confidentiality and provide
- Meet the security requirements in line with Article 32
- Keep a register of all clients and describe the processes with each
- Only use another contractor with the controller's authorization
- Respond to the data subject's request
- Delete and return all data after the end of the contract
- Demonstrate compliance by providing documentation of audits and inspections
- Remind the controller if its instructions infringe upon data protection law
As a data processor, you now hold liability when determining the purpose and means of the processing activities. In the event you set these terms, the guidance then considers you a data controller.
Becoming a controller in the eyes of the regulation means that even as a processor, you may be subject to:
- Investigative or corrective powers of supervisory authorities according to Article 58
- Payment of compensation according to Article 82
- Administrative fines according to Article 83
- Penalties for failing to meet obligations according to Article 84
All of this is avoided in contracts where you strictly follow the controller's instructions without input of your own.
Additionally, if you do receive permission to use a subcontractor for processing purposes, you remain liable to the controller for the subcontractor's performance.
Six Key Points to Take Away
What does all this mean for data processors? There are six key takeaways that all data processors should keep in mind.
1. You Need a Contract
If you don't already have a contract with the data controllers you work with, then you need one ASAP. All contracts are required to not only exist but be updated for the GDPR world starting May 25, 2018.
You may not process data in the European Union without a contract. Each contract must include these essential components:
- Subject, nature, purpose, and duration of processing plan
- Types of data included
- Categories of data subjects included
- Controller obligations and rights
These previously represented the bare minimum of a contract. Under the GDPR, you must now include:
- Agreement to follow precise instructions in processing
- Issues of confidentiality
- Commitment to upholding security according to Article 32 of the GDPR
- Agreement to avoid sub-processors without authorization
- Processors may only use sub-processors that support obligations in present contract
- All data must be returned to the controller and deleted at the end of the deal
- Processor provides evidence of compliance with GDPR Article 28
Several other provisions might include:
- Specific security or technical provisions
- Liability issues
- Cooperation issues
2. You Must Follow the Contract
Contracts are important not only because the law mandates them but because your operations are now limited according to that contract.
It is a data processor's obligation to follow the contract to the letter or else be in violation of both the contract and the GDPR.
3. Double-Check That the Contract Follows the Law
Even though data processors don't write the contracts, they need to inform the controller if the agreement violates the law. If they don't, they risk being liable for the infringements of the law themselves.
Additionally, data subjects may now approach processors, which provides an even greater incentive to ensure you're not violating any legislation.
4. Sub-Contracting is Limited
Before May 25th, you were free to seek out sub-contractors able to help process the data more efficiently than you could on your own as long as your contract allowed it.
Under the GDPR, it is expressly forbidden unless you receive prior written consent from the controller on the contract.
5. Demonstrate Compliance
Until now, you had to participate in security measures, but rarely did you need to prove them. The compliance and accountability themes woven into the GDPR now ask for careful record keeping for all processing activities. You must also be able to provide these records to the Supervisory Authority when asked.
6. Data Protection Officers
Data Protection Officers already existed in some jurisdictions, but it's now a mandate across the EU.
Data processors need a Data Protection Officer if they:
- Are a public body
- Do regular monitoring of data subjects
- Work with sensitive data including criminal conviction data
How to Move Forward as a Compliant Data Processor
If you already know that you're not ready to launch in the EU, there are plenty of things to do:
- Review your existing contracts.
- Make sure your processing platforms are complaint.
- Sort through subcontractors used.
- Identify whether you need a Data Protection Officer (DPO).
- Assess your data security protocol.
- Create systems for demonstrating accountability and compliance.
- Tie everything together with risk assessments.
Don't forget to work closely with data controlling clients to ensure you meet their standards and their standards align with the GDPR.
The GDPR increases processor obligations significantly. Although you might already have followed most of these, the law only previously assigned you with one obligation: protecting the data. Now, both data subjects and regulators may demand proof of compliance - and you need to be ready to offer it.
Many of your obligations are laid out in your contracts, but data processors need to remain alert during this phase as well. Processors now also bear liability for regulatory issues within contracts.
The biggest takeaway is that data processing is less of a solitary operation than before. Expect to work more closely with data controllers to ensure you both remain compliant and avoid attracting negative attention from regulators and data subjects.