May 16, 2018
One of the topics we rarely see covered is what GDPR means for ‘Data Processors’ – businesses like LibLynx that touch user data on your behalf.
You are responsible under GDPR for ensuring your Data Processors fulfil their obligations, but do your data processing agreements accurately reflect this?
If you’re not sure, here’s a handy summary for those of you who don’t want to read the original 88 pages of legislation in all its glory.
If you’re unclear on what GDPR is, or the definition of key terms like Personal Data and Data Processor, then read our overview at the bottom of this post
GDPR creates legal obligations for Data Processors across 4 general areas:
You can’t just assume that your Data Processors are taking the necessary steps towards compliance. GDPR explicitly requires you to put in place contractual guarantees to ensure they meet their obligations to you, and to your users (backed up by stiff penalties of up to €20m if you fail).
Here’s what those legal obligations mean in practice.
Your data processing agreement must specify the GDPR obligations of each party. These are laid out in Article 28 of the legislation, but here are some examples:
Article 32 of the legislation focuses on the security of processing. No surprises here – Data Processors must:
Data Processors must bake data protection into their services, rather than adding them as a layer of icing on top:
This last section is about ensuring that Data Processors play a proactive role in providing you with advice and assistance to meet your GDPR obligations.
As GDPR impacts us directly, we’ve written a guide containing more detail on the Data Processor obligations, and how we meet them.
Please contact us if you’d like a copy of our guide, or want to pick our brains about this topic in general. We’d be delighted to hear from you!
The General Data Protection Regulation (GDPR) is an EU directive that comes into force from 25 May 2018, replacing an earlier 1995 Data Protection Directive. It is designed to harmonize data privacy laws across Europe, to protect and empower the data privacy of EU citizens, and to reshape the way organizations across the region approach data privacy. Key changes from the previous directive include:
The following 4 definitions are fundamental to understanding the regulations:
Personal Data (PD)
Any information relating to a person who can be directly or indirectly identified by that information. This includes situations where a person can be identified from a combination of information, none of which is personally-identifiable on its own, such as IP ranges and usage logs.
Any operation performed on PD, whether or not by automated means. This includes simply storing PD in a hosted service.
A controller determines the purposes and means of processing PD. This is typically our client i.e. the publisher or service provider that owns the user relationship.
A processor is responsible for processing PD on behalf of a controller. This is typically the role played by LibLynx when we process PD for clients.
The legal obligations on Data Controllers and Data Processors arise from a core set of guiding principles laid out in the regulations, which require that PD is:
Read the full text of the Directive here.