On May 28, 2018, the GDPR or General Data Protection Regulations went into effect. GDPR is a legal framework that governs the way companies handle data for those within the European Union (EU). It impacts data privacy law and compliance for companies on other continents who manage customer information from European citizens. Companies across industries must focus on GDPR compliance and take steps to provide disclosures and ensure that EU consumer data is protected. 

What is GDPR?

You can learn more about the ins and outs of GDPR from our post, Introduction of GDPR. In general, GDPR is privacy protection laws that determine how businesses collect, store, and process company data. There is one thing to do before turning to a discussion of the practical impact of GDPR on covered entities. It is essential to understand the contractual provisions that govern the relationship between controllers and processors. Article 4 of the GDPR identifies a:

• Controller: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”
• Processor: is the “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

These contractual provisions are generally found in a data processing agreement, commonly referred to as a data processing addendum or “DPA.”

GDPR DPA Requirements

Suppose your business processes personal information related to individuals residing in the EU. Or, your business provides such information to any other entity. In either case, you are likely already familiar with the concept of a data privacy agreement. The most fundamental provisions required by GDPR are in Article 28, Section 3 of GDPR. Such section requires “processing by a processor” be “governed by a contract…that sets out the:”

• subject-matter of the processing;
• duration of the processing;
• nature and purpose of the processing;
• types of personal data subject to processing;
• categories of data subjects (data subject); and
• rights and obligations of the controller.

In addition to the above, GDPR sets forth many stipulations applicable to processors, which must be in the relevant agreement or DPA. Such stipulations include that the processor:

• must act only on the controller’s documented instructions unless required by law;
• will ensure that individuals processing the controller’s data are subject to an appropriate duty of confidence;
• must take proper measures to ensure the security of processing;
• may only engage with a sub-processor with the controller’s prior authorization and according to a written contract containing appropriate protections;
• must take proper measures to help the controller respond to request from individuals to exercise the rights provided to them under GDPR;
• take into account the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations with the security of processing, notification of personal data breaches, and data protection impact assessments;
• must delete or return all personal data to the controller upon the termination of the provision of services relating to processing; and
• will submit to specific audits and inspections.

Ensure GDPR Compliance with Bagchi Law 

Whether your business is a controller entering into a DPA with a processor, or you’re a processor engaging with a sub-processor, it may seem daunting to meet each GDPR requirement. On the flip-side, failure to comply with GDPR can result in significant fines. While GDPR became effective in May 2018, there has been an exponential increase in the number of enforcement actions so it is more important than ever for businesses to focus on compliance.

Schedule a consultation today to learn how the team at Bagchi Law can help you with GDPR compliance.