In a previous article I covered the difference between data controllers and data processors, so you’ll know that as an accountant some of the time you’ll be a data controller and some of the time, a processor.
As I have already covered data controller obligations, let’s look at your obligations as a data processor in more detail.
A quick reminder of the Data Protection Act (DPA) definition – a data processor is defined as “any person (other than an employee of the data controller) who processes the data on behalf of the data controller“
Under the DPA, data processors have only limited obligations:
- Only the data controller is held liable for data protection compliance, not the data processor
- Any processing must be: carried out in accordance with the data controller’s instructions, governed by a written contract and subject to appropriate security measures
- In order to protect itself from potential compliance risks, normally a data controller will seek to pass its responsibilities to the data processor via the written contract; however regardless of the contract, controllers remain legally responsible for any breaches caused by the actions of their data processors
- The Information Commissioner’s Office (ICO) have no direct enforcement powers against data processors
So what’s different from 25th May 2018 when GDPR applies?
GDPR introduces direct statutory obligations on data processors; they may be subject to direct enforcement by the ICO, serious fines for non-compliance and compensation claims by data subjects for any damage caused by breaching the GDPR.
These obligations include:
- Data Processing Agreements – processors may only process personal data on behalf of a controller where a written contract is in place which imposes a number of mandatory terms, set out in the GDPR, on the data processor
- Sub-processors – processors may not engage a sub-processor without the prior written authorisation of the data controller.
- Data controller instructions – processors may only process personal data in accordance with the instructions of the controller.
- Accountability – processors must maintain records of data processing activities and make these available to the ICO on request.
- Data security – processors must take appropriate security measures and inform controllers of any data breaches suffered without undue delay (whatever that means – a data controller may be specific about the timescale for breach notification in their written instructions).
- Data protection officers – processors must designate a data protection officer if the data they are processing is one which requires the appointment.
- Cross-border transfers – processors must comply with the restrictions regarding cross-border data transfers.
- Obligation to inform – The data processor has an obligation to tell the controller if it believes an instruction to hand information to the data controller breaches the GDPR or any other EU or Member State law.
- Penalties – non-compliant processors risk fines of up to 4% of their global annual turnover or up to £17m.
The GDPR also makes data controllers and processors jointly and severally liable. This means that, where a controller or processor has paid full compensation for the damage suffered, the controller or processor is entitled to claim back from the other controller or processor involved, that part of the compensation corresponding to their responsibility for the damage.
The GDPR is a huge shift in requirements for data processors, over previous requirements. It is essential that you create a written agreement with your clients to ensure that there is a formal understanding of your role and responsibilities.
Ian Cooley GDPR, Data Protection and Privacy Specialist at GDPR Advisors UK.