One of the topics we rarely see covered is what GDPR means for ‘Data Processors’ – businesses like LibLynx that touch user data on your behalf.

You are responsible under GDPR for ensuring your Data Processors fulfil their obligations, but do your data processing agreements accurately reflect this?

If you’re not sure, here’s a handy summary for those of you who don’t want to read the original 88 pages of legislation in all its glory.

If you’re unclear on what GDPR is, or the definition of key terms like Personal Data and Data Processor, then read our overview at the bottom of this post

GDPR creates legal obligations for Data Processors across 4 general areas:

  1. Transparency and traceability
  2. Data security
  3. Data protection by design and by default
  4. Assistance, alert and advice

You can’t just assume that your Data Processors are taking the necessary steps towards compliance. GDPR explicitly requires you to put in place contractual guarantees to ensure they meet their obligations to you, and to your users (backed up by stiff penalties of up to €20m if you fail).

Here’s what those legal obligations mean in practice.

1. Transparency & Traceability

Your data processing agreement must specify the GDPR obligations of each party. These are laid out in Article 28 of the legislation, but here are some examples:

  • A description of the nature, purpose, subject matter and duration of processing, the type of personal data, and the categories of users covered.
  • Written authorisation to use named sub-processors.
  • Commitments to implement ““appropriate technical and organisational measures” to meet the GDPR requirements and ensure user’s data rights are protected.
  • Provision of “all information necessary to demonstrate compliance” with your obligations, including audits.

2. Data Security

Article 32 of the legislation focuses on the security of processing. No surprises here – Data Processors must:

  • Ensure anyone processing Personal Data is bound by confidentiality.
  • Notify you of any data breach.
  • Implement appropriate technical and organisational measures “to ensure a level of security appropriate to the risks”.
  • Delete or return all data at the end of service, and destroy any copies.

3. Data protection by design and by default

Data Processors must bake data protection into their services, rather than adding them as a layer of icing on top:

  • By design, their services must incorporate data protection principles.
  • By default, their services must ensure that processing only covers what’s required i.e. the amount of data collected, the extent of processing, the period of storage, and the number of people with access.

4. Assistance, Alert and Advice

This last section is about ensuring that Data Processors play a proactive role in providing you with advice and assistance to meet your GDPR obligations.

  • Informing you if they believe that your instructions infringe data protection rules.
  • Assisting you in responding to user requests regarding their data rights.
  • Assisting you in complying with data protection obligations, such as data breaches or questions over data security.

Want a copy of our Guide to GDPR & Data Processors?

As GDPR impacts us directly, we’ve written a guide containing more detail on the Data Processor obligations, and how we meet them.

Please contact us if you’d like a copy of our guide, or want to pick our brains about this topic in general. We’d be delighted to hear from you!

Overview of GDPR

The General Data Protection Regulation (GDPR) is an EU directive that comes into force from 25 May 2018, replacing an earlier 1995 Data Protection Directive. It is designed to harmonize data privacy laws across Europe, to protect and empower the data privacy of EU citizens, and to reshape the way organizations across the region approach data privacy. Key changes from the previous directive include:

  • Territorial Scope – it applies to to all organizations processing the Personal Data (PD) of data subjects residing in the EU, regardless of the organization’s location.
  • Individual rights – GDPR lays out a series of explicit rights that individuals have over their PD, such as the right to access, the right to be forgotten, and data portability.
  • Explicit consent – user consent for data processing must be requested in an intelligible and easily accessible form, and explicitly given. No more legalese and buried checkboxes.
  • Stiffer penalties – organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).

The following 4 definitions are fundamental to understanding the regulations:

Personal Data (PD)
Any information relating to a person who can be directly or indirectly identified by that information. This includes situations where a person can be identified from a combination of information, none of which is personally-identifiable on its own, such as IP ranges and usage logs.
Processing
Any operation performed on PD, whether or not by automated means. This includes simply storing PD in a hosted service.
Data Controller
A controller determines the purposes and means of processing PD. This is typically our client i.e. the publisher or service provider that owns the user relationship.
Data Processor
A processor is responsible for processing PD on behalf of a controller. This is typically the role played by LibLynx when we process PD for clients.

The legal obligations on Data Controllers and Data Processors arise from a core set of guiding principles laid out in the regulations, which require that PD is:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals.
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’).
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’).
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that PD that are inaccurate are erased or rectified without delay.
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the PD are processed (‘storage limitation’).
  6. processed in a manner that ensures appropriate security of the PD, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity & confidentiality’).

Read the full text of the Directive here.

Header image © nolifebeforecoffee