11 February 2020
Data processing converts raw data into something usable and valuable. The conversion is a process using a predefined operation carried out manually or automatically.
If you use programs like Apache Hadoop or Apache Spark to sort or define data, then you're engaging in what the law describes as data processing.
The newly implemented GDPR regulations dedicate plenty of space - the whole of Chapter 4 - to new and existing requirements for data controllers and data processors. Data processors receive new responsibilities and liabilities when they process data from European citizens
While the 1995 Data Protection Directive already bound you to a set of measures, the GDPR is much more comprehensive in scope, and many of the obligations you see point directly at data processors.
Data processors accustomed to worrying solely about security requirements now have far more responsibility.
What's changed and what are the new requirements for data processors?
As defined by Article 4 of the GDPR, a data processor is a person, authority, or body that processes data for a data controller.
Data processing refers to a wide range of operations and applications of personal data either manually or using an automated process.
The European Commission provides a few examples of these activities:
As a data processor, you're required to process data according to the documented instructions of the controller, who also has a long list of privacy obligations. These requirements are laid out in a mandatory contract.
Although much of the emphasis on accountability lies squarely on the shoulders of the controller, data processors also have their own obligations to fulfill outside of their contract and the general rules applying to data services.
As a data processor, you process data under the authority of the controller who created the contract. The law mandates that several stipulations come with a GDPR-compliant contract:
As a data processor, you now hold liability when determining the purpose and means of the processing activities. In the event you set these terms, the guidance then considers you a data controller.
Becoming a controller in the eyes of the regulation means that even as a processor, you may be subject to:
All of this is avoided in contracts where you strictly follow the controller's instructions without input of your own.
Additionally, if you do receive permission to use a subcontractor for processing purposes, you remain liable to the controller for the subcontractor's performance.
What does all this mean for data processors? There are six key takeaways that all data processors should keep in mind.
If you don't already have a contract with the data controllers you work with, then you need one ASAP. All contracts are required to not only exist but be updated for the GDPR world starting May 25, 2018.
You may not process data in the European Union without a contract. Each contract must include these essential components:
These previously represented the bare minimum of a contract. Under the GDPR, you must now include:
Several other provisions might include:
Contracts are important not only because the law mandates them but because your operations are now limited according to that contract.
It is a data processor's obligation to follow the contract to the letter or else be in violation of both the contract and the GDPR.
Even though data processors don't write the contracts, they need to inform the controller if the agreement violates the law. If they don't, they risk being liable for the infringements of the law themselves.
Additionally, data subjects may now approach processors, which provides an even greater incentive to ensure you're not violating any legislation.
Before May 25th, you were free to seek out sub-contractors able to help process the data more efficiently than you could on your own as long as your contract allowed it.
Under the GDPR, it is expressly forbidden unless you receive prior written consent from the controller on the contract.
Until now, you had to participate in security measures, but rarely did you need to prove them. The compliance and accountability themes woven into the GDPR now ask for careful record keeping for all processing activities. You must also be able to provide these records to the Supervisory Authority when asked.
Data Protection Officers already existed in some jurisdictions, but it's now a mandate across the EU.
Data processors need a Data Protection Officer if they:
If you already know that you're not ready to launch in the EU, there are plenty of things to do:
Don't forget to work closely with data controlling clients to ensure you meet their standards and their standards align with the GDPR.
The GDPR increases processor obligations significantly. Although you might already have followed most of these, the law only previously assigned you with one obligation: protecting the data. Now, both data subjects and regulators may demand proof of compliance - and you need to be ready to offer it.
Many of your obligations are laid out in your contracts, but data processors need to remain alert during this phase as well. Processors now also bear liability for regulatory issues within contracts.
The biggest takeaway is that data processing is less of a solitary operation than before. Expect to work more closely with data controllers to ensure you both remain compliant and avoid attracting negative attention from regulators and data subjects.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.