French guidance for the newcomers
GDPR implications for data processors
09 November 2017
For a wide range of service providers who qualify as "data processors" (e.g. IT service providers, software integrators, communication and advertising agencies processing personal data on behalf of their clients), 2018 means big change, with the entry into force of the General Data Protection Regulation (GDPR).
The GDPR, which will enter into force on 25 May 2018, represents a new, major regulatory challenge for data processors. Indeed, under current law – which stems from Directive 95/46/EC – data processors' data protection obligations are few and solely derive from the contract with the data controller, who is directly responsible for the data processing. The GDPR constitutes a disruptive challenge for data processors, by:
- giving processors responsibilities and liabilities in their own rights;
- providing for onerous obligations (e.g. obligation to keep a record of processing activities, obligation to help the data controller meet its obligations with respect to data security, data protection impact assessments, data breach notification and data subjects' rights);
- providing for steep fines – up to 4% of annual global turnover.
Accordingly, data processors will be required to implement major changes in the way they approach the processing of personal data.
The guide for data processors (the "Guide"), published by the French Data Protection Authority (CNIL) on 29 September 2017, comes at the right time to help them prepare for it.
Published a few days after the Information Commissioner's Office (ICO) issued its draft GDPR guidance on "contracts and liabilities between controllers and processors", the Guide helps data processors grasp the magnitude of their forthcoming obligations with a pedagogic approach.
Taking data processors by the hand
The Guide's primary aim is not so much to interpret the GDPR but to help data processors navigate through abstract obligations. Indeed, the Guide:
- provides for examples of technical measures to be implemented by data processors to take into account the principles of "privacy by design" and "privacy by default" (e.g. implementation of privacy settings to ensure that only a minimal amount of personal data is collected; careful staff access right management, for instance on a "data by data" basis);
- specifies, in a pedagogic approach, that when an entity is at the same time a data controller with regard to the processing activities it conducts using the personal data it collects (e.g. for HR or customer relationship management) and a data processor acting on behalf of a client, it must distinguish these two activities and keep two records (one for its activities as a data controller and one for its activities as a data processor);
- recommends to anticipate the application of the GDPR in 2018 by adapting data processing contracts now and stipulating that the new clauses will be effective as from 25 May 2018;
- lists certain behaviors that would constitute breaches under the GDPR (e.g. failing to assist the data controller in its obligations, sub-processing without the data controller's authorization or to a sub-processor which does not offer sufficient guarantees).
Furthermore, the Guide encourages data processors to designate a data protection officer (DPO) even if they fall outside the scope of the obligation to appoint one, so they may benefit from a designated conductor in the implementation of their GDPR compliance plan.
Guide's added value: creating useful tools for data processors
The Guide provides for template data processing clauses, which should ease contractual formalisation and give stakeholders a precious indication of CNIL's expectations.
The template clauses include both stipulations that are mandatory pursuant to the GDPR and "controller favourable" provisions which are not required by the GDPR and tend to broaden the data processor's contractual duties (e.g. obligation to provide data security training to the personnel authorized to access the data, obligation to provide written evidence of destruction of the data to the data controller at the end of the service). Though not strictly required by the GDPR, these "extra" provisions are likely to be justified in practice.
The template also elaborates on possible options for certain matters (e.g. sub-processing, information of the data subject), which is helpful.
The devil is in the detail: effective cooperation between data processors and data controllers requires further guidance
The Guide usefully raises data processors' awareness on the GDPR. It constitutes a high-level tool for GDPR readiness workstreams.
However, one may have expected further guidance on certain material topics, such as:
- content of data processor's assistance obligations vis-à-vis data controllers. For instance, what does it concretely mean when it comes to data protection impact assessment?
- audit regime (e.g. scope, audits' frequency, on-site access conditions);
- liability / penalties (e.g. risk allocation, liability caps, excluded damages, liquidated damages).
Just like ICO's guidance, the Guide provides illustrations of data processors' obligations under the GDPR and is presented as a living document. However, ICO's guidelines clearly announces further guidance on specific subject matters that call for clarification (e.g. data controller assistance, record keeping, data breach notifications, DPO, penalties and damages). The CNIL may need to go in the same direction.
To be continued...
This article was first published on 30 October 2017 on Thomson Reuters Regulatory Intelligence platform.