GDPR for IT contractors: how to update your data practices
Over the last couple of years, since the General Data Protection Regulation was adopted, it has become almost impossible for any of us to avoid these infamous 4 letters ‘GDPR,’ writes Charlotte Gerrish, founding partner at Gerrish Legal.
So what is the GDPR exactly?
As a quick reminder, the GDPR[1] is a European law initiative which harmonises the rules relating to the processing of personal data across all member states of the European Union, meaning that we will all be acting on a level playing field. Even in light of Brexit, Britain is still concerned by the GDPR as the Queen (in her Speech last summer) confirmed that the UK would still be adhering to the GDPR and the data protection principles contained in it.
Who does the GDPR apply to?
The GDPR applies to any entity processing “personal data”. For the purposes of the GDPR, personal data includes:
“any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person[2]”.
In an IT context, the specific reference to online identifier is likely to include meta data, tracking or localisation as well as cookies or other web-based analytics.
The GDPR also states that the rules apply to entities established within the EU (even if processing takes place outside of the EU, for example on cloud storage based in India, or on servers based in the US), and also applies to entities established outside of the EU provided that they offer goods or services to individuals based in the EU[3].
What are the changes?
The key changes in the GDPR relate to enhanced rights for individuals, which also means increased sanctions in the event of non-compliance (up to 4% of a company’s annual global turnover or EUR 20 million), and placing more responsibility and accountability placed on data controllers and data processors.
How does GDPR impact IT contractors?
As an IT contractor, there is almost no doubt that part of your work relates to processing personal data.
The GDPR says that “processing” means:
“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction[4]”.
Which means that “processing” includes paper / manual processing as well as processing via machines (computers, artificial intelligence, software), which is more likely to be related to your professional activity.
The GDPR also says that[5] data needs to be processed in a way which ensures security of personal data; protection against unauthorised or unlawful processing and accidental loss, destruction or damage must be done using appropriate technical or organisational measures. This means that as an IT contractor, you need to work in a way and provide solutions to your clients which guarantee the integrity and confidentiality of personal data that they hold.
To do that successfully, efficiently and compliantly, there are five key areas that IT contractors must address. The first of these five is below; the remaining four will be disclosed in Part Two of this IT contractors’ overview to the GDPR.
What IT contractors must address for true GDPR compliance -- the fundamental five
1. Ensure that you maintain and are available to advise your clients on top IT security mechanisms on an ongoing basis. GDPR compliance doesn’t just stop on 25th May 2018 – arguably, this is when it begins!
The GDPR says that data processors and controllers need to take the security of personal data into account[6]. The law therefore says you need implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks of any information or security breach (such as accidental destruction, loss, alteration, disclosure or access to personal data). The GDPR says that appropriate technical and organisational measures[7] may include:
- pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The GDPR[8], also states that you need to ensure that a network or an information system is able to “resist accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned”.
The GDPR further says that this might include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.
Editor’s Note: This two-part article by Gerrish Legal founding lawyer Charlotte Gerrish, who has more than 10 years of legal experience at international law firms and companies in London, is an overview of the GDPR for IT contractors. It is for guidance purposes only and does not constitute definitive legal advice.
[1] Full reference - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR”).
[2] See Article 4(1) of the GDPR.
[3] See Article 3 of the GDPR – Territorial Scope.
[4] See Article 4(2) of the GDPR.
[5] See Article 5(f) of the GDPR.
[6] See Article 32 of the GDPR.
[7] Recital 83 of the GDPR also says that: "Any measures should also into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage."
[8] See Recital 49 of the GDPR.