At the end of 2015, Europe finally agreed the text of its new General Data Protection Regulation, the law that will replace Europe's aging Data Protection Directive. The Regulation, or GDPR, is the first major re-write of European privacy laws in 20 years, and carries with it a significant extension of liability and compliance obligations. This is particularly the case for the mere data processor (a role familiar to the average cloud services provider). Previously beyond the direct reach of EU data privacy law, the data processor's compliance world will soon change as the GDPR will extend specific legal obligations to data processors.
What does the law require today?
At present, the Data Protection Directive 95/46/EC ("Directive") generally sets out direct statutory obligations for controllers, but not for processors. Processors are generally only subject to the obligations that the controller imposes on them by contract. By way of example, in a service provision scenario, say a cloud hosting service, the customer will typically be a controller and the service provider will be a processor. This has left processors relatively insulated from the Directive's reach. Controllers for whom they act may impose or flow-down specific contractual obligations.
Keen readers will recognise that EU data protection law is always nuanced and not quite that simple. Most organisations today will wear both a processor hat (while processing data on behalf of others) and also assume a role in respect of the personal data they process for their own purposes (such as CRM contact data, service usage statistics and ancillary meta data in the cloud service context). Sophisticated providers already make such distinctions in their deal terms.
As previously explained, the GDPR will expand the scope of application of EU data protection law requirements to include data "controllers" (i.e. persons who determine why and how personal data are processed), but certain requirements will apply for the first time directly to data "processors" (i.e. persons who process personal data on behalf of a data controller).
I recently wrote an article expanding on what this GDPR change means for processors (and in particular processors providing services in the cloud). The full article can be found here: The GDPR's impact on the cloud service provider as a processor
For the first time, there will be direct statutory obligations for processors, for instance around accountability, engaging sub-processors, data security and data breach notification. The cloud services provider (as indeed any processor) must assess what the GDPR means for them. Not only will their customers demand adaptations to service terms to protect the customer's own data in accordance with the new rules, as data processors the cloud services provider will also have to consider their own legal compliance in relation to cloud processing activities. This article looks at the new provisions specifically from the perspective of cloud service provider processors.
The article appeared in PDP Journal's "Privacy and Data Protection (Volume 16, Issue 4) See: http://www.pdpjournals.com for more detail.
What should you do now?
As the rules for data processors are new there is no precedent or existing practice to benchmark from and all will be grappling with the new rules. Without current good practice as a reference point, as a processor you should:
- Assess whether any of your EU-based group companies act as processors;
- If so, asses the level of awareness of / readiness for compliance with EU data protection law and create a road map for transitioning to compliance with the GDPR;
- Identify for whom you act as a data processor and the role undertaken;
- Decide how you will document your processing activities and keep this list up-to-date?
- What contractual obligations do you owe to controllers today? Do you anticipate these need to change to close the gap between the Directive and the GDPR (and what would your response be to a controller who requested new terms)?
- Which of your subcontractors handle personal data as a part of your overall service provision to customers, where are the terms?
- Are there adequate "open" consents from your customer to sub-contract?
- How can you harmonise obligations to customers to manage your sub-contractor flow-down obligations?
- How will you approach amend sub-contracts that fall short during the next two years in anticipation of the GDPR?
- Are there are international data transfer consequences to consider?
- Do you think you meet the requirements such that you will be obliged to appoint a DPO?
- Monitor news on evolving Codes of Practice and Guidance specifically aimed at processors.
There is good news, however. The GDPR will not come into effect until 2018, giving organisations a two-year lead-in period to get their houses in order. Just don't leave it too long!