New data protection laws (GDPR) will be introduced this May and businesses in the region will need to adapt and plan resource around it. The mismanagement of data can already have serious implications, however up until this point in time, the law has failed to reach many organisations, further down the chain, who may have had careless data sharing practices, (data processors).
Data processors are a separate legal entity and examples include payroll, marketing or IT companies that your business may send data to, or you may even be one of these data processing businesses.
Under the current law (applicable until the GDPR takes effect on 25 May 2018), these secondary handlers of data are generally only subject to contractual obligations imposed on them by data controllers, (the company who collected the data in the first place), and it is this company that retains the responsibility for any breach of the law.
The GDPR will change this. There will need to be specific written agreements between a company (the controller) and any secondary holders (processor) and it places direct obligations on the processor, such as the requirement to implement appropriate technical and organisational measures to secure data, to keep records and data breach notification requirements.
The reasons for imposing these onerous requirements on processors is largely to tighten up on sloppy data sharing practices – for example, if a consumer passed their details to ‘Company X’, their data might then be outsourced to various organisations down the chain who didn’t have accountability for how they handled it. The GDPR will shine a light on such careless data sharing practices.
This means that if you are a business who collects, or manages data on another company’s behalf you need to make plans now. Carry out due diligence on the companies you use for your processing, or if you are a processor, carry out that due diligence on the data controller – as it’s their data you are now liable for. You will also need to enter into written contracts.
There are advantages of spending the time now to prepare. If your business is a trusted one which can safely handle its processes, you will be better placed to attract new business.