If your business is handling personal data in any way, then you will have legal responsibilities as to how you handle that data.
One of the biggest changes with the introduction of GDPRs was the legal recognition of the “data processor”, a role in which, by and large, the handling of data is reduced to acting on behalf of another who makes controlling decisions about how the personal data is handled (the “data controller”).
It is not always well known, but a data processor has a different set of obligations under the GDPRs in relation to handling personal data. It was and still is common for data controllers to push their obligations onto data processors, or to state it is an obligation of the processor and therefore should be free, and those data processors may unknowingly be taking on cost and liability unnecessarily.
For example, Article 28 of the UK GDPR says that processors and controllers have to include contract provisions that include a requirement on the data processor to “make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller”.
This does not mean that data processors have to agree to an open-ended legal obligation to react to every audit and request. The contract is the place for the data processor to set out what assistance will be provided and at what cost. This is where the common sense approach makes sense. Data processors may set out a standard audit and assistance policy that is included in the price and then any further requests are chargeable.
The main point is though, those data processors understanding what is legally required and what is a commercial decision to provide is an informed, eyes wide open decision, which forms part of a wider data protection risk management strategy.
There are similar parallels to be drawn in respect of data security and DPIAs and we will discuss these in later blogs.
If you want to know more or have any questions, then contact Tracey today: firstname.lastname@example.org or call 01202 729444.