Some of us are old enough to remember when a data processor was a machine, not a person.Today, a 'data processor' is the person who holds and processes data on behalf of a 'data controller'.The data processor does not have any responsibility or control over the dataThe data controller decides the purpose of processing the data, and the process to be followedStatutory obligations used fall solely on the data controller. Under the new GDPR legislation, there are a bunch of obligations that fall on data processors too.Most of the GDPR articles I've seen (and written) focus on the obligations and responsibilities of the data controller. But the data processor has their own obligations and risks.Depending on your activities, failure to comply can lead to fines or administrative measures imposed by the ICO or their European counterparts. It's a serious business. Fines can be up to €20 million or 4% of worldwide turnover. If things get really bad, you can also face a lawsuit from a data subject.This article looks at the Data Protection Act 2018 (as it is now called since it's passed the bill stage) from the perspective of a data processor.Are you a data processor or a data controller?Whether you are a data processor or a data controller is a matter of fact that is assessed by the ICO in each case. It is decided based on how much supervision happens.You might think you are a data processor, but the more independent you are, the more likely it is that you are also a data controller. The more supervision you are under, the more likely it is that you are only a data processor.For example, you'd be a data processor if you provide cloud services for web hosting, IT, HR, payroll or marketing.To complicate matters further, the same set of data could have more than one data controller, in which case you need to have a written agreement with the other data controller(s) in place.Your obligations as a data processorYou are obliged to only process personal data in line with the instructions from the data controller, and ensure that you have adequate technical and security measures in place. You must comply with restrictions on transferring data out of the EU.There are also obligations about your record-keeping. Depending on the type of data processing you do, you may be obliged to appoint a data protection officer. If there is a breach, you must notify the data controller, who then notifies the ICO.Questions to addressDo you process data for third parties?Is the relationship covered by a written contract?Do existing contracts need to be refreshed for the GDPR regime?Are you satisfied that you are meeting the new security and record-keeping obligations?Do you process personal data, especially sensitive personal data such as health, sexual preference, race, or criminal convictions?Are you covered?You should have a written legal agreement in place with the data controller you are acting for. This should cover a whole bunch of issues:Subject matter and type of personal data you are processingCategory of data subjects, such as clients/users of ABC Solutions, or their demographic profile e.g. elderly people in GrimsbyObligations and rights the data controller has over the data processorExtent you can use sub-contractors to do the processing for you(As solicitors who specialise in commercial law, we can help with that.)Are you a data controller who has data processors working for you? If yes, you might think covering your role as a data controller is quite simple - but both ends of the relationship must be protected, so you must ensure that your data processors work under properly documented arrangements.(Naturally, we can help with that too.)Image copyright: Elnur / 123RF Stock Photo
