GDPR: An IT Contractor’s Who’s Who
It’s not just ‘personal data’ and ‘processing’ that the GDPR – due to hit from next month – covers, writes Charlotte Gerrish, founding lawyer at data law consultancy Gerrish Legal.
In the human sense, the General Data Protection Regulation effective in the UK from May 25th 2018 applies to ‘Data Processors,’ ‘Sub-Processors’ and ‘Data Controllers.’
It is these parties that need to read my five fundamentals for GDPR-compliance. But who are these parties, ‘on the ground’? Are they you, an IT contractor? Are they your client? And if ‘yes’, what must you and your end-user do in under 40 days to avoid breaking the law?
GDPR: where it catches contractors and clients
The General Data Protection Regulation (also known as the GDPR[1]) comes into force next month in all Member States in the EU (May 25th 2018), and applies not only to businesses situated within the EU, but also to business situated outside of the EU insofar as they provide services to EU citizens.
Under the GDPR, a key exercise for IT contractors is to work out whether you are a Data Controller or a Data Processor, and to define the relationship between you and your clients, since in the event of a Processor-Controller relationship, you need to set out the scope of your relationship in writing.
Quick Glossary
For the purposes of the GDPR and this article:
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction[2].
‘Data Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data[3].
‘Data Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller[4].
From these definitions, we can see that if you are working as an IT contractor, then it is highly likely that you are going to be acting as a Data Processor on behalf of your client(s), or a Sub-Processor on behalf of your client(s), and that you will process some form of personal data (see my GDPR Overview for Contractors for the definition of ‘personal data’). Your client(s) will most likely have the role as a Data Controller.
GDPR: the controller–processor relationship[5]
To ensure compliance with the GDPR in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the GDPR states that:
“The controller should use only processors providing sufficient guarantees, such as expert knowledge, reliability and resources, to implement technical and organisational measures for the security of processing”.
It is important to note that the adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. This means that IT contractors who have certified training or are bound by professional rules (or even official certifications once these have been implemented by the ICO or other supervisory authority), will be able to provide much more comfort to their clients.
Further, the GDPR clearly states that processors should carry out processing under a contract or pursuant to law which legally binds the processor to the controller, which means that it is an IT contractors best interests to clarify the scope of the relationship in writing and ensure that their position is well protected. In this respect, advice from a data protection lawyer is invaluable.
At present, the GDPR states that the controller and processor may choose to use an individual contract or standard contractual clauses. However, neither are not currently available at the time of writing, but they may soon be adopted either directly by the European Commission or by a supervisory authority, such as the ICO in the UK.
Finally, regard has to be taken to technical measures and risk assessments, as Recitals 81 to 83 of the GDPR make clear:
“In order to maintain security and to prevent infringement of the GDPR, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.
“Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.
“In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.”
So what do client-outfits have to put in their Data Processing contracts as a matter of law, when an IT contractor is the Processor and the client is the Controller?[6]
N.B. This article is aimed at IT contractors, but it is going to be very useful to look at the obligations weighing on clients, so that contractors can better understand their own individual position, potentially allowing sight of where there is room for negotiation in contracts/agreements.
Therefore, the follow-up to this ‘GDPR: an IT Contractor’s Who’s Who’ will explore Data Processing contracts and what Data Controllers need to put in them which, in turn, will provide a window to the liability and risks IT contractors could find in their agreement and how to help protect against these, successfully.
Editor’s Note: This is the first instalment of a two-part GDPR guide by Gerrish Legal founding lawyer Charlotte Gerrish #legalbusinesspartner, who has more than 10 years of legal experience at international law firms and companies in London. This overview of GDPR is for guidance purposes only and does not constitute definitive legal advice.