Telephone +44(0)1524 64544
Email: info(at)shadowcat.co.uk

Introduction

Tue Jan 16 18:30:20 2018

The GDPR, the General Data Protection Regulation, is enforceable from 25th May 2018, the law was passed into effect in 2016 and was then moved to a transitionary phase to allow businesses and organisations to adapt. I will be discussing some of the aspects of the GDPR as I navigate helping businesses and organisations I am involved with change to reflect the new legislation.

In this article I am going to discuss the data processor. What makes you a processor? What is different to that of a controller? What are the rights and responsibilities associated with processing?

Processing Purple People-Eater

We are going to start by addressing what makes you a processor and not a controller. A processor is an individual, person or organisation, who processes personal data on behalf of a controller. The processor does not own the information nor do they usually store it for any purpose other than to allow the processing action.

...you must clearly know, and state, whether you are a data processor or data controller. You must also state this for any third party that touches the data which you handle...

Think of it as a mailing list manager. They may store the names, addresses and details of your customer list but they do not make use of this information except when you instruct them to mail out or compose a campaign. They process but they do not own or control.

If a processor uses the information for any other purpose than to carry out a controller’s processing task then they may be also considered a data controller. The processor does not become a data controller if they themselves use a third party for some of the processing (such as our mailing list using a seperate text or email facility) however if they do this there are some other duties they must perform.

What Must I do as a Processor?

A processor is subject to some, but not all, of the same duties and responsibilities of a controller. I have seperated the major responsibilities and concerns into three areas; risk, roles and responsibilities.

Risk

Like the controller and any other person who holds personal, and potentially sensitive, information on a data subject you must examine:

  • The level of the sensitivity of the data;
  • How much it identifies an individual;
  • how it is stored, transmitted or deleted;
  • The current level of security and threat and what risk to a data subject from a breach;

This will give you a risk analysis in the event of a breach of data and allow you to take appropriate measures to mitigate, or negate, such risk. So the more personal and sensitive the information the greater the steps that must be taken to secure it. This is similar to any other individual dealing with the information on a data subject.

Role

As mentioned above, you must clearly know, and state, whether you are a data processor or data controller. You must also state this for any third party that touches the data which you handle. This is vitally important in establishing the rights and responsibilities that individuals have to access the data you have.

An individual does not, typically, request their data from a processor, nor will they have access to what is stored and little responsibility is placed on the processor to supply this. That is the role of the controller, and it is the controller who must ensure that they work with their chosen data processors (however see Article 28:3(f)).

If the processor uses the data for their own business (i.e. profits from the data itself and not from the processing of the data) then they are a controller and the same rules regarding access, consent and legal processing need to be observed (the Articles regarding this are listed below).

Responsibility

As a data processor you must guarantee certain things to the data controller and to the data subjects whose data you process. You must observe the rules that are, for the most part, listed in Articles 28-30:

...I seem to be giving the advice that the more we move towards pseudo-anonymisation and anonymous processing and storage of data the better the results. You will be more compliant and less open to risk, you will also have to satisfy far fewer regulations...

  • That you meet the regulation and ensure the protection of data subjects;1
  • That you do not engage another processor without written notification and consent;
  • Shall have a contract (this must be a written contract but that may be electronically created, stored or transmitted - i.e. a formal email is satisfactory) with the controller that shows:
    • length of term;
    • Type of data held or collected;
    • Categories of data subjects (biological or otherwise);
    • Type of processing actions performed on the data;
    • Processes the data only on documented instruction and does not transfer it cross border or to other bodies (unless by Member State law or Government Body and then this must be informed to the controller in writing);
    • Ensures all persons conducting processing have confidentiality;
    • Takes appropriate security;2
    • Follows the same rules as a controller for using a third party processor themselves;
    • Aids the controller, where possible, to follow a subjects rights (Chapter 3 of the GDPR);
    • Assists the controller in observing compliance to Articles 32-36 (these regard risk, security and breaches);
    • On requests deletes or returns the data for/to the controller;
    • Gives information necessary to show compliance, allows audits or inspections by the controller or the controller’s mandated auditors.
  • Where another processor is involved ensures all the above regulations also apply to that processor including securing a contract similar to the one they are engaged in with the controller;
  • Follows an approved code of conduct or a certification mechanism (Articles 40 and 42);
  • Must not process the data you hold except on permission from the controller or under authority from Union or Member State Law (Article 29);
  • Infringement of the regulation will make a processor be considered a controller in regards to legal actions (fines and penalties as shown in Articles 82-84);

There are a number of further responsibilities for the recording of activities as defined in Article 30. These are mostly rules enforced upon the controller, but when you are instructed to perform such activities by a controller it assumed that the processor will observe similar records to allow full compliance for both processor and controller.

There is some allowance made for small amounts of processing or material held by micro-small organisations (recital 13) but for the most part you have to observe the regulation of Article 30, 32 and 49. There is specific mention of security and types of data needing to be recorded and it is generally a good practice to do this.

As always I seem to be giving the advice that the more we move towards pseudo-anonymisation and anonymous processing and storage of data the better the results. You will be more compliant and less open to risk, you will also have to satisfy far fewer regulations under this act.

But I am not in the EU

You must bear in mind that if you conduct a large amount of data processing for controllers based in the EU, or on data subjects within the EU (this is all persons residing in the EU and not just EU citizens), it is wise to consider yourself being in the EU for the purposes of the legislation. With that in mind you should consider Article 27: Representatives of controllers or processors not established in the Union.3

Further Reading

In all cases it is wise to consult the regulations directly when determining your level of responsibility to make yourself compliant. Further reading for this piece can be found in:

Articles: (Chapter 4), 27, 28, 30, 31, 32, 82, 83, 84, 93

Recitals: 13, 75, 76, 77, 78, 79, 80, 81, 82, 83,

[Don't forget that you can join in this conversation by using the comments form at the bottom of the page or by tweeting at @shadowcat_mdk]


  1. Note that the onus is on the controller to ensure that they check the processor is observing these when choosing an appropriate processor to use. Also that a data processor must check any third party processors and report this to the controller. ↩

  2. See the section above regarding risk and Article 32 of the GDPR. ↩

  3. There is an accompanying Recital, 80, which defines further what the designation of a representative is. ↩