Until recently, data controllers—enterprises that own customer data—maintained sole responsibility for upholding EU data protection laws, and made sure data processors they partnered with followed suit. However, under the EU’s newly adopted General Data Protection Regulation (GDPR), data processors will no longer be free of liability for breaking data privacy laws, and will share data protection responsibility for EU citizens with data controllers.
With these changes, how will businesses balance data protection responsibility if something like a breach occurs? Whether a data processor or data controller is the cause of a data breach, both will face the consequences administered by the GDPR.
Despite benefits to citizens, the GDPR could make it difficult for companies to trust each other, causing crimps in a previously less regulated contractual process. To make adjustments in line with the GDPR without stifling productivity or efficiency, data controllers and data processors need to understand how the GDPR is going to affect them and their business relationships in a few major ways:
The GDPR will impact all data controllers and data processors
Whether based in the EU or globally, all data controllers and data processors engaging with EU citizens’ personal data are subject to the GDPR.
Relationships will become more rigid
Data controllers will require data processors to follow strict guidelines regarding data transfers outside of the EU, and will expect data processors to assist with maintaining data security, preventing data breaches and disposing of or returning data when it’s no longer needed. Data processors will be able to work with other data processing companies if data controllers give consent, but that means data processors will be responsible for ensuring those other data processing companies comply with data controllers’ guidelines.
Data processors will need to prove compliance with the GDPR
Data processors will be required to record their data processing efforts and present that documentation to a Data Protection Authority (DPA) upon request. DPAs will have the ability to: investigate data processors; access data and sites where data is processed; prohibit data processing; deliver warnings and orders to data processors; and issue fines to data processors. Additionally, data processors working with large amounts of data will be assigned a data protection officer who counsels them on GDPR compliance, and monitors and reports activity to a DPA.
There will be legal consequences for mismanaging data processing
EU citizens will have the right to bring legal charges against data processors who mismanage their personal data or violate their rights set by the GDPR. However, data processors will also be able to protest their liability if they can prove the charges are invalid. As a reminder, if the data processor is involved with a data controller that is being held liable, the data processor will also be held liable. Data processors will be required to immediately alert data controllers of data breaches and help resolve issues.
There is currently much concern surrounding how data protection responsibility between data controllers and data processors for data protection will affect cloud service providers, but the issue of impact is translatable to the mainframe world, too, where it comes down to outsourcing situations.
For instance, if Bank A (data controller) uses real data in test environments, outsources the testing to Provider B (data processor) and a breach occurs, the person whose data was leaked can sue both Bank A and Provider B.
Rather than viewing the GDPR as a reason to distrust each other, data controllers now have a strong reason to align with data processors over data protection responsibility to protect citizens by ensuring no real, sensitive data never enters a testing environment.
Want to learn more about how the GDPR could affect your company, and what steps you should take? Download our new white paper “Unprepared for GDPR? the Research Report on the State of Enterprise Readiness for the EU’s New PII Mandates.”