GDPR: What It Means for Third-Party Data Processing Contracts
29th May 2018 | Ardi Kolah
Understand what's new for third-party contracts and how to practically apply new data rule changes
The General Data Protection Regulation (GDPR) was enforced on 25 May 2018 and replaces the Data Protection Act (DPA) 1998.
On the 14 September 2017, the British Government published the Data Protection Bill that incorporates both the GDPR and the EU Criminal Data Protection Directive. This will eventually be incorporated into national law, although at the time of writing there’s been a delay due to a need to amend the Bill to provide stronger investigatory powers to the Information Commissioner, in the wake of the Facebook/Cambridge Analytica scandal.
GDPR extends the existing requirements around security measures contained in the DPA and specifies the details that must now be included in any third-party contract for processing personal data of customers, clients, supporters and employees.
Under GDPR, the Data Processor has a set of new responsibilities and duties, shared with the Data Controller (the client). Both the Data Controller and Data Processor are jointly and severely liable for damages and face being subject to significantly increased sanctions and fines from the Information Commissioner’s Office (ICO).
What's New for Third-Party Contracts?
- GDPR makes written contracts between the Data Controller and the Data Processor a general requirement, rather than just a way of demonstrating compliance with the requirement for appropriate security measures (as provided for under both the DPA and the GDPR).
- Third-party data processing contracts must now include certain specific terms as a minimum. These terms are designed to ensure that processing carried out by Data Processor meet all the requirements of GDPR (not just those related to keeping personal data secure).
- GDPR allows for standard contractual clauses from the EU commission or the supervisory authority (ICO) to be used in such third-party contracts (which are likely to be revised in 2018).
- GDPR envisages that adherence by a Data Processor to an approved code of conduct or certification scheme may be used to help the Data Controller demonstrate that it has selected a suitable Data Processor.
- The Data controller must only use a Data Processor that guarantees it complies with GDPR.
Practical Points to Consider
The third-party contract must state details of the personal data processing to be conducted, and must set out the Data Processor’s obligations, including the standards it must meet when processing personal data and the permissions it requires from the Data Controller in relation to it.
Importantly, the Data Processor can only act on the express instructions of the Data Controller. If it should stray outside of this then it could be deemed to be a Joint Data Controller – particularly where it has shared decisions as to the means and purposes of processing personal data. In other situations, it could find itself in breach of contract with the Data Controller and this could result in legal action and compensation from Data Subjects.
This is a significant change in what’s required by EU and UK laws, but, in practice, you may already include many of the new contract requirements in your existing contracts, for commercial reasons or as good practice under the DPA.
However, you should take this opportunity to double check all contracts to ensure they are compliant with GDPR.
The GDPR Handbook is a thorough introduction to the EU General Data Protection Regulation. It covers in detail how companies of all sizes need to operate within the GDPR requirements and how to deal with information security and risk, and specifically addresses the key duties and responsibilities of the Data Protection Officer.