With GDPR applying as of May 25th, companies are making sure of their own compliance but it’s also necessary to make sure business partners are compliant. The roadmap for GDPR stretches back a few years and there are many resources online such as the CNIL in France, the ICO in the UK and the Data Protection Commissioner in Ireland. Each of these bodies have easy to read and understand resources on the GDPR. Over the last 6 months we’ve been getting queries and questions regarding this specific matter, here’s our take at answering them:
How to approach GDPR compliance?
When discussing compliance with suppliers and clients we look at the GDPR as a risk-based approach to data protection and our discussions generally start from three perspectives, (1) what are the data subject rights, (2) what are the risks here and specifically risks to those privacy rights and then (3) we look at any special considerations including special categories of data. This is very broad and when we conduct a Data Protection Impact Assessment (DPIA) the conversation evolves and becomes very focused on specific areas that need attention.
What are the risks and how are they avoided?
The answer to this question is often technical and IT related as opposed to a policy or procedure one. Many risks relate to lack of encryption, cloud server locations, data transmission and access control. While most are open to comment and opinion, these risks generally come down to the current state of technology with relation to what is the latest threat and counter measure available as well as what is the most appropriate security considering the processed data. As a result, protecting data subject rights is fluidic and will need to be reviewed and updated based on new developments. This review and investment process doesn’t need to be expensive, many risks and concerns can be addressed by working with capable and current IT professionals, who understand technology and how to deploy it to provide the best level of protection. It is worth mentioning, that there is no such thing as 100% secure. Many of the world’s leading state security organisations and principal technology companies have had security issues, as a result, we need to view information security as more than just having encrypted data or an up to date firewall, but as technology being part of a much larger culture of protecting people’s privacy rights.
How will commercial relationships change with GDPR?
Article 32 (Security of Processing) of the GDPR is unable to specify the exact security measures for the above-mentioned reasons and leaves it open, using terms like “ensure a level of security appropriate to the risk”, this is not the same for the policy aspect of the relationship. This sub-contractor or controller / processor relationship now needs to be governed by a contract that has certain stipulations. Before GDPR, commercial agreements generally just had a clause saying you must be compliant under the relevant act which related to the EU data protection Directive 95/46. Many of these provisions were vague, dated and didn’t reflect the commercial reality of the relationship. Article 28 (Processor) stipulates that “Processing by a processor shall be governed by a contract……. That contract shall stipulate, in particular, that the processor…….”, some of the areas of which are below:
1. Have documented Instructions as how to process the data.
2. Confidentiality provisions.
3. Appropriate Security provisions (Article 32).
4. Instructions to only engage 3rd party processors with the written authorisation of the controller.
5. Clauses stating that all provisions and obligations of the agreement shall be replicated down to all additional sub-processors.
6. Take the nature of processing and types of data into consideration when carrying out obligations and exercising data subject rights.
7. Assist the controller in seeking consultation with data subjects and security of processing.
8. Provisions to ensure that the controller has available to them all necessary information to demonstrate compliance.
What does that mean for my ongoing contracts?
Many organisations are reluctant to discuss these new provisions with clients or suppliers due to the fear of having to completely renegotiate a contract. But in reality, the above requirements can be satisfied by the implementation of a data protection addendum that is reflective of the above GDPR requirements with no need to renegotiate the entire contract.
We internally, are in the process of conducting data protection impact assessments (DPIA’s), reviewing the risk based on these assessments and translating this into the stipulations as covered under Article 28. This process is not a paper exercise but is a very real live entity that is within our business, where operational procedures are being adjusted to reflect where we need to be in order to protect data subject rights. The article 29 workers party has mentioned the easiest way to demonstrate compliance is by conducting DPIA’s and when they are done correctly it is much easier to comply with the Article 28 requirements. So, in short, do your DPIA’s and ensure the changes are made and that the contractual relationship is reflective and compliant!