ICAEW.com works better with JavaScript enabled.

GDPR continues to prove challenging for many

As the GDPR has created fresh challenges for businesses that share personal data with third-party processors, the Tech Faculty offers some practical tips on managing your new accountability for your processors.

A third of European businesses admit that they are still not compliant with the General Data Protection Regulation, a recent survey found.

Many firms share personal data with third-party processors and for many firms their preparation for the imposition of the General Data Protection Regulation (GDPR) in 2018 highlighted how far this reached into global supply chains. “Being compliant goes beyond usage and protection of personal data within a firm, it also includes how data moves to and between suppliers such as cloud service providers, outsourcing companies and payroll bureaus,” says Mark Taylor, Tech Faculty technical innovation manager.

Under the GDPR, firms that are data controllers are responsible for their own compliance and that of any third party data processors (supplies/providers) that they employ. In the event of a breach, you cannot simply deny any wrongdoing and lay blame on your supplier. Now controllers must only use processors that can give sufficient guarantees they will implement appropriate technical and organisational measures to ensure their processing will meet GDPR requirements and protect data subjects’ rights. If not then the data protection shortcomings of any processor that you use could impact your firm, damaging its reputation and potentially leading to costly fines.

But it is more than just asking if your processor is compliant. The GDPR makes written contracts between controllers and processors a requirement. Furthermore if a processor uses another organisation (i.e. a sub-processor) to assist in its processing of personal data for a controller, then it must have a written contract in place with that sub-processor. These contracts must now include specific minimum terms, which are designed to ensure that processing carried out by a processor meets all the GDPR requirements, not just those related to keeping personal data secure. Failure to comply by either not having a written contract in place or one that does not include all the minimum requirements is, of course,  a breach of the GDPR.

Remember it’s not just providers of cloud software and services that must be GDPR-compliant. So must external contractors and providers of accounting and bookkeeping services, finance and accounts, human resources, payroll bureaux, recruitment and other outsourcing partners. Anyone, in fact, who ‘processes’ personal data on your behalf.

It’s not just data controllers who have new obligations under the GDPR; processors do too. In addition to any contractual obligations to the controller, a processor must not act contrary to the controller’s instructions or employ a sub-processor’s services without the controller’s prior specific or general written authorisation. Once again failure to do any of these is a breach of the GDPR. Processors also remain liable to the controller for the compliance of any sub-processors they engage.

 So what should controllers and processors do to ensure they are fully compliant? The following is a brief checklist of what you need to do (and re-do on a regular basis):

  • Check you have contracts with all your providers (data processors) – if not put them in place.
  • Check if any existing contracts include the details specified by the GDPR – if not amend them.
  • If you are a data processor ensure you have specific written authority from your data controller to employ a sub-processor to perform a specific processing activity.
  • Establish where your provider, their employees, contractors and data processing facilities are all located. If these are located outside of the UK then you will need to ensure that the flow of personal data to the UK is allowed under GDPR.  NB this may change post Brexit (See our guidance on the implications of Brexit for data protection).
  • Check if the service provider registered with the relevant national data protection authority or authorities.
  • Check that the provider is aware that they too need to be GDPR complaint and then check how they can prove that they are compliant eg is it documented. If not ask them to do this or use another processor who can demonstrate compliance.

The GDPR has made it clear that all firms need to assess and document their actual compliance from legal, operational and technology perspectives. It is also clear that compliance is a never ending process and all firms need to regularly review and maintain their data protection statements and documentation. Over time we will see more case law set and as a result firms may need to amend or update their data protection policies and practices.

In the meantime the Information Commissioner’s Office provides a checklist and other useful guidance on contracts here.  You will also find GDPR resources on the ICAEW GDPR hub.