Whether you are a Data Controller or a Data Processor you have responsibilities under the General Data Protection Regulation (GDPR). A controller determines the purposes and means of processing personal data, whereas a processor is responsible for processing personal data on behalf of a controller and you are required to maintain records of personal data and processing activities.
The Responsibilities of Data Processor Officers (DPO)
For information held
You should organise an information audit across your business or within particular business areas. One person with in-depth knowledge of your working practices may be able to do this.
This will identify the data that you process and how it flows into, through and out of your business, for example to any agreed sub processors or back to the data controller.
Remember, an information flow can include a transfer of information from one location to another. For example, the information may stay within your business yet a transfer takes place because the department or other office is located elsewhere (off site).
Having audited your information, you should then be able to identify any risks.
Your business has documented what personal data you hold, where it came from, who you share it with and what you do with it.
Once you have completed your information audit, you should document your findings, for example in an information asset register.
Doing this will also help you to comply with the GDPR’s accountability principle, which requires your business to be able to show how you comply with the GDPR principles, for example by having effective procedures and guidance for staff.
If you have less than 250 employees then you must keep records of any processing activities that:
* are not occasional;
* could result in a risk to the rights and freedoms of individuals; or
* involve the processing of special categories of data or criminal conviction and offence data.
If you have over 250 employees, you must record the following information:
* name and details of your business, each controller on behalf of which you are acting, and (where applicable), of the controllers’ representative, your representative and data protection officer);
* categories of the processing carried out on behalf of each controller;
* where applicable, details of transfers to third countries including documentation of the transfer mechanism safeguards in place; and
* where possible, a general description of technical and organisational security measures.
You may be required to make these records available to The Information Commissioner’s Office on request.
Accountability and Governance
The GDPR requires you to show how you comply with the principles.
A policy will help you address data protection in a consistent manner and demonstrate accountability under the GDPR. This can be a standalone policy statement or part of a general staff policy.
The policy should clearly set out your approach to data protection together with responsibilities for implementing the policy and monitoring compliance.
The policy should be approved by management, published and communicated to all staff. You should also review and update the policy at planned intervals or when required to ensure it remains relevant.
Data Processors
It is important to make sure that someone in your business, or an external data protection advisor, takes responsibility for data protection compliance.
You may need to appoint a DPO. Any business can appoint a DPO but you must do so if you:
* are a public authority (expect for courts acting in the judicial capacity);
* carry out large scale systematic monitoring of individuals (eg online behaviour tracking); or
* carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
The DPO should work independently, report to the highest management level and have adequate resources to enable your organisation meet its GDPR obligations.
The DPO’s minimum tasks are to:
* inform and advise your business and its employees about their obligations to comply with the GDPR and other data protection laws.
* monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits; and
* be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
You may find it useful to designate a DPO on a voluntary basis even when the GDPR does not require you to.
You should document the internal analysis carried out to determine whether or not you appoint a DPO unless it is obvious that your business is not required to designate one.
Management Responsibility
You should make sure that decision makers and key people in your business are aware of the requirements under the GDPR.
Decision makers and key people should lead by example, demonstrating accountability for compliance with the GDPR and promoting a positive culture within your business for data protection.
They should take the lead when assessing any impacts to your business and encourage a privacy by design approach.
They should help to drive awareness amongst all staff regarding the importance of exercising good data protection practices.
Information risks and data protection impact assessments
You should set out how you manage information risk.
This task could be driven by the data controller you are providing services for and you should ensure you work with this controller to ensure that all information risks you identify are fed back on a regular basis.
You need to have a senior staff member with responsibility for managing information risks, coordinating procedures put in place to mitigate them and for logging and risk assessing information assets.
Where you have identified information risks, you should have appropriate action plans in place to mitigate any risks that are not tolerated or terminated.
Before the start of a new contract with you, the data controller should complete a Data Protection Impact Assessment (where the circumstances require one to be completed) – as data processor you should be ready to provide your input to this assessment and work with the controller to mitigate any risks identified. Having an established information risk management framework in place will assist you to do this effectively.
Data Protection by Design
Under the GDPR, data processors have a general obligation to implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities. Under the GDPR, this is referred to as data protection by design and by default.
You should adopt internal policies and implement measures which help your business comply with the data protection principles – this could include data minimisation, pseudo-anonymization and transparency measures.
Training and Awareness
You should brief all staff handling personal data on their data protection responsibilities. It is good practice to provide awareness training on or shortly after appointment with updates at regular intervals or when required.
You should also consider specialist training for staff with specific duties, such as information security and database management and marketing.
The regular communication of key messages is equally important to help reinforce training and maintain awareness (for example intranet articles, circulars, team briefings and posters).
Use of sub-processors
You should only engage another processor if you have the prior written authorisation of the data controller. This authorisation may be specific or general. However, if the authorisation is general, then, as data processor, you must tell the controller in advance of any changes you intend to make regarding the addition or replacement of other processors, so that they have the opportunity to object.
You should ensure this is included as a standard contract term.
Data processors now have responsibilities and liabilities in their own right, and processors as well as controllers may now be liable for penalties under the GDPR.
In the future, you may wish to consider looking at approved codes of conduct or certification schemes to help you demonstrate your suitability as a data processor. Standard contractual clauses may form part of such a code or scheme.
Operational Base
Under the GDPR, if your business is located outside the EU, and you offer products and services to citizens in the EU, then there is a requirement for you to appoint (in writing) a representative within the European Union.
Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.
Breach Notification
The GDPR introduces a duty on all data processors to inform controllers of a personal data breach “without undue delay” after becoming aware of it, which is why it is important that you have an internal and external breach identification and reporting procedures in place.
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
You should make sure that your staff understand what constitutes a data breach, and that this is more than a loss of personal data.
You should have investigation procedures in place to ensure that you can assist the controller in its responsibilities to act when a data breach occurs.
Right of access
Individuals have the right to obtain:
* confirmation that their data is being processed;
* access to their personal data; and
* other supplementary information – this largely corresponds to the information that you should be provide in a privacy notice.
If you have identified and documented all the data you process it will make it easier to locate and retrieve specific information at the request of the data controller, as information must be provided by the data controller without delay and at the latest within one month of receipt of the request. You should have robust procedures in place and assign responsibility within your business to deal with these types of requests in a timely manner.
If the request is made electronically, you may be required by the data controller to send them the information in a commonly used electronic format.
Timescales for your response to a request for an individual’s information should be set within the written contract with the data controller.
Right to rectification and data quality
If you have identified and documented all the data you process it will make it easier to locate and retrieve specific information at the request of the data controller, as information must be provided by the data controller without delay and at the latest within one month of receipt of the request. You should have robust procedures in place and assign responsibility within your business to deal with these types of requests in a timely manner.
If the request is made electronically, you may be required by the data controller to send them the information in a commonly used electronic format.
Timescales for your response to a request for an individual’s information should be set within the written contract with the data controller.
Right to erasure including retention and disposal
Individuals have the right to be forgotten and can request the data controller (and therefore you also as data processor) erases their personal data when:
* it is no longer necessary in relation to the purpose for which it was originally collected/processed;
* the individual withdraws consent;
* the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
* it was unlawfully processed (ie otherwise in breach of the GDPR);
* it has to be erased in order to comply with a legal obligation; or
* it is processed in relation to the offer of information society services to a child.
These requests will be received initially by the data controller however, if the data in question is also processed or stored by you, then you will need to have the appropriate procedures in place in order to ensure the data is erased permanently.
You should have standard contract clauses covering erasure, data retention and disposal. You should ensure that these conditions are met. A written retention policy will remind you when to dispose of various categories of data, and help you plan for its secure disposal.
Right to restrict processing
Individuals have a right to block or restrict the processing of personal data.
When processing is restricted, you are permitted to store the personal data, but not further process it.
You can retain just enough information about the individual to ensure that the restriction is respected in the future.
A data controller may request that as their data processor you restrict the processing of personal data in the following circumstances:
* where an individual contests the accuracy of the personal data;
* where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and the data controller is considering whether their legitimate grounds override those of the individual;
* when processing is unlawful and the individual opposes erasure and requests restriction instead; and
* if the data controller no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim.
Right of Data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
They can receive personal data or move, copy or transfer that data from one business to another in a safe and secure way, without hindrance.
The right to data portability only applies:
* to personal data an individual has provided to a controller;
* where the processing is based on the individual’s consent or for the performance of a contract; and
* where the processing is carried out by automated means.
Information must be provided without delay and at least within one month of receipt. Your data controller may receive such a request and so you should be able to supply them with any applicable data you process on their behalf to enable them to fulfill the request.
You must provide the personal data in a structured, commonly used and machine readable format. Examples of appropriate formats include CSV and XML files.
If the individual (and so the data controller) requests it, you may be required to transmit the data directly to another business where this is technically feasible.
Security Policy
You should process personal data in a manner that ensures appropriate security.
Before you can decide what level of security is right for you, you will need to assess the risks to the personal data you hold and choose security measures that are appropriate to your needs. Keeping your IT systems safe and secure can be a complex task and does require time, resource and (potentially) specialist expertise.
If you are processing personal data within your IT system(s) you need to recognise the risks involved and take appropriate technical measures to secure the data.
The measures you put in place should fit your business’s needs. They don’t necessarily have to be expensive or onerous. They may even be free or already available within the IT systems you currently have.
A good starting point is to establish and implement a robust Information Security policy which details your approach to information security, the technical and organisational measures that you will be implementing and the roles and responsibilities staff have in relation to keeping information secure.