This is the second in a series of blogs on GDPR, starting with Who’s Who in GDPR?
In that blog, we explored the difference between Data Subjects (living beings) and the organisations which store or process data, namely Data Controllers (decision makers), Data Processors and Sub Processors.In this blog, we look at the responsibilities of Data Controllers, Data Processors and Sub Processors.
Passing the GDPR buck – or not!
Some Data Controllers mistakenly believe that they can outsource their data processing and wash their hands of any GDPR compliance responsibilities. This simply isn’t true. As the name suggests, the Controller is accountable for the management of the data, from cradle to grave.
Data Controllers are required to:
- Pay the data protection fee (unless they are exempt)
- Take steps to secure data (this makes sense, as it’s their data and reputation on the line)
- Ensure that any Data Processors comply with the GDPR
Data Controllers are required to have a legal agreement (Data Processing Agreement) in place with each Data Processor, just as we do with our outsourced IT provider. The GDPR has a long list of requirements for Data Processors (you may have heard of Articles 28-32) but as an absolute minimum, this agreement should:
- Outline the type of information that the Data Controller will pass to the Data Processor
- Record how data will be processed
Controllers who don’t comply may have action taken against them by the ICO or by individuals. Fines can be extremely costly and result in negative publicity.
Ensuring your Data Processors and Sub Processors don’t put you at risk
Data Processors and those processing data on their behalf aren’t off the hook either. They also have a number of responsibilities to ensure that they can meet the requirements of Articles 28-32, including:
- Taking steps to secure data
- Keeping records of data processing
- Not sharing the information with anyone else without the permission of the Data Controller
- Informing the Data Controller immediately if they identify or suspect a data leak
Again, processors who don’t comply may have action taken against them.
Three ways for Data Controllers to boost GDPR compliance
As a Data Controller there are several steps you can take to boost your compliance.
Firstly, you should check that you’re registered with the ICO.
Secondly, work out what data you have and why. It sounds simple, but you’ll be surprised just how much you have collected. You should follow the ‘life’ of a piece of data from the moment that it is collected to the moment that it is deleted or ask someone like us to help you!
As part of this mapping process, you should identify your Data Processors and check you have a legal agreement in place with each of them. They need to meet or exceed the same level of compliance as you – otherwise you have an area of weakness. Remember, you have the right as a Controller to audit any of your Data Processors or to ask a third party to audit them on your behalf.
Finally, you should identify where you hold data in your business, check that you’re only keeping the data that’s needed, and understand how long you’re keeping it for. You must also ensure that your data is properly secured.
If this feels overwhelming, don’t worry. We can help you with all aspects of GDPR compliance.
Six things Data Processors can do
When a Data Controller trusts you with their data, they are also trusting you with their reputation.
To help put their mind at rest, you can do the following:
- Share information about the steps you have taken to establish and maintain GDPR compliance, such as participating in a GDPR Discovery Review
- Ensure your board and senior leaders understand their role in supporting a culture of compliance
- Ensure you can answer any GDPR compliance questions in supplier questionnaires fully and accurately
- Consider certifying your business to IASME Governance as this includes a GDPR compliance element or ISO27701 (the Privacy Information Management Standard)
- Accept that they have the right to audit you and make it easy for them to do so
- Regularly train your staff on the GDPR and ensure you have a trained Data Officer or someone who knows how to respond in the event of a GDPR crisis
If you want to gain a competitive advantage through compliance, please contact us.