On 13 September, the Information Commissioner’s Office (ICO) issued its draft guidance on contracts and liabilities between controllers and processors under the GDPR (Guidance).
With the GDPR now only eight months away from applying in the UK and all EU member states, this article looks specifically at data processing agreements. It will consider how the Regulation, together with the Guidance (which sets out for the first time how the ICO will interpret the Regulation in this regard), will impact your organisation’s processing arrangements, whether you operate in the public or private sector and whether you outsource data processing activities to third parties or your business involves the processing of personal data on behalf of your customers.
New obligations, greater accountability and heftier fines mean businesses should be taking steps now to make sure they will be able to comply with the GDPR when it comes into force on 25 May 2018.
Definitions and scope
The concepts of data controller (the party determining the purpose and means of the processing) and data processor (the party who processes the personal data on behalf of the controller) remain the same under the GDPR as they were under the Data Protection Act 1998 (DPA). The nature of that relationship, however, and the terms that govern it are likely to change considerably under the new regime.
All agreements which involve the processing of personal data will be caught by the GDPR, from large-scale outsourcing of cloud services to the provision of promotional and marketing services.
Most organisations who use a third party to process personal data on their behalf will already have a written contract in place as this was required under the seventh data principle of the DPA which deals with security measures. The GDPR extends the current requirements, however, by prescribing a checklist of terms which must be included in the data processing contract, including details of the processing, the processor’s obligations and standards it must meet.
Many of the new requirements are aimed at ensuring and demonstrating compliance with all aspects of the GDPR. This greater emphasis on “accountability” of controllers and processors pervades the GDPR, not least when it comes to appointing processors.
Processors now have direct responsibilities under the GDPR beyond their contractual liabilities to controllers. For the first time processors can be held directly responsible for non-compliance with their obligations under the GDPR and may be subject to administrative fines or other sanctions and could be liable to compensate data subjects in the event of a breach.
Appointing a data processor
Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide “sufficient guarantees” that the requirements of the GDPR will be met and the rights of data subjects protected. This is much broader that the current requirements which focus on data security and it is expected that controllers will carry out wider due diligence on processors at the outset of the relationship than is currently the case. This is likely to take more time and resource on the part of the controller. The GDPR refers to the use of certification schemes to assist controllers satisfy its obligations in this regard, but, according to the recent Guidance, no such schemes are currently available.
Article 28 of the GDPR sets out mandatory requirements which must be set out in a data processing agreement every time a data controller appoints a processor and when a processor engages a sub-processor to act on its behalf.
The contract must set out:
- The subject matter and duration of the processing;
- The nature and purpose of the processing;
- The type of personal data and categories of data subject; and
- The obligations and rights of the controller.
Contracts must also contain, as a minimum, the following terms, requiring the processor to:
- Only act on the written instructions of the controller;
- Ensure that people processing the data are subject to a duty of confidence;
- Take appropriate measures to ensure the security of processing;
- Only engage sub-processors with the prior consent of the controller and under a written contract;
- •Assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
- Assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments (DPIAs);
- Delete or return all personal data to the controller as requested at the end of the contract;
- Submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
One thing the Guidance makes clear is that data processing agreements will need to be very clear at the outset about the extent and nature of the processing which is going to be carried out. Very general or “catch all” contract terms will not be GDPR compliant.
The GDPR allows for the European Commission or the ICO to issue standard contract clauses for use in data processing agreements. According to the ICO Guidance, no such standard clauses have yet been drafted.
Organisations should be thinking now about the new requirements when they are negotiating data processing contracts which will extend beyond 25 May 2018 and including GDPR-compliant clauses in those agreements. This will avoid the need to amend those contracts when the GDPR comes into force.
In addition, existing contracts which will still be in place when the new rules come into force should also be reviewed for GDPR compliance. These are very likely to require re-negotiation to make sure they will stand up when the new Regulations apply.
Even in the absence of ICO-approved standard clauses, the above list of mandatory obligations can be used as a checklist of terms to include in new contracts. In addition to the detailed provisions, however, there are also some areas where controllers may consider seeking more than the mandatory obligations from their processors. For example, controllers have an obligation to notify their supervisory authority of a data breach within 72 hours; processors only have a duty to notify controllers “without undue delay”. Controllers may feel this does not give them sufficient assurance they will meet the 72 hour deadline so may seek an obligation from the processor that they will notify within a shorter period, for example, 24 hours.
One aspect of data protection law that is very different under the GDPR is that processors have direct responsibilities and obligations which go beyond their contractual obligations to controllers. The penalties for breaching the GDPR which can be imposed on controllers and processors could be as high as 4% of annual turnover or €20m, whichever is the greater (or up to 2% and €10m, depending on the breach). Individuals whose personal data is the subject of a data breach may be able to claim damages against a controller or a processor.
There is likely to be greater negotiation around liability caps and indemnities in data processing contracts as the GDPR implementation date approaches and beyond as controllers and processors seek to carve up their respective liabilities between themselves. We are likely to see controllers seeking uncapped or significantly higher caps on liability from their data processors under the GDPR in the face of higher regulatory fines and potential claims from data subjects.
Suppliers would be wise to review their cybersecurity insurance policies now and consider whether the scope and level of cover currently in place will be adequate when the GDPR comes into force and consider whether this needs to be extended in light of the new GDPR risks.
Steps to take now
- Organisations should be auditing their supply chains now to understand which contracts may require renegotiation in order to comply with the GDPR requirements.
- Businesses should be reviewing their procurement processes and regime for selecting processors to establish whether they need to carry out enhanced due diligence or, where the outsourcing is sufficiently high-risk, a DPIA.
- In so far as contracts currently being negotiated which will extend beyond May 2018 are concerned, these should include GDPR provisions.
- Review and update your standard templates using the GDPR requirements as a checklist.
- Check relevant insurance policies to make sure they give adequate cover for GDPR risks.
Unlike some elements of the GDPR, there is comparative clarity already around what will need to be included in data processing contracts when the Regulation comes into force. For organisations who outsource a lot of data processing, it is likely to take some time and effort to get their agreements GDPR ready. These are two very good reasons why this should be at the top of your GDPR compliance “to do” list.
This article does not constitute legal advice. Specific legal advice should be taken before acting on any of the issues covered.