Understanding How GDPR Compliance Affects Your Business
On May 28, 2018, the GDPR or General Data Protection Regulations went into effect. GDPR is a legal framework that governs the way companies handle data for those within the European Union (EU). It impacts data privacy law and compliance for companies on other continents who manage customer information from European citizens. Companies across industries must focus on GDPR compliance and take steps to provide disclosures and ensure that EU consumer data is protected.
What is GDPR?
You can learn more about the ins and outs of GDPR from our post, Introduction of GDPR. In general, GDPR is privacy protection laws that determine how businesses collect, store, and process company data. There is one thing to do before turning to a discussion of the practical impact of GDPR on covered entities. It is essential to understand the contractual provisions that govern the relationship between controllers and processors. Article 4 of the GDPR identifies a:
- Controller: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”
- Processor: is the “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
These contractual provisions are generally found in a data processing agreement, commonly referred to as a data processing addendum or “DPA.”
GDPR DPA Requirements
Suppose your business processes personal information related to individuals residing in the EU. Or, your business provides such information to any other entity. In either case, you are likely already familiar with the concept of a data privacy agreement. The most fundamental provisions required by GDPR are in Article 28, Section 3 of GDPR. Such section requires “processing by a processor” be “governed by a contract…that sets out the:”
- subject-matter of the processing;
- duration of the processing;
- nature and purpose of the processing;
- types of personal data subject to processing;
- categories of data subjects (data subject); and
- rights and obligations of the controller.
In addition to the above, GDPR sets forth many stipulations applicable to processors, which must be in the relevant agreement or DPA. Such stipulations include that the processor:
- must act only on the controller’s documented instructions unless required by law;
- will ensure that individuals processing the controller’s data are subject to an appropriate duty of confidence;
- must take proper measures to ensure the security of processing;
- may only engage with a sub-processor with the controller’s prior authorization and according to a written contract containing appropriate protections;
- must take proper measures to help the controller respond to request from individuals to exercise the rights provided to them under GDPR;
- take into account the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations with the security of processing, notification of personal data breaches, and data protection impact assessments;
- must delete or return all personal data to the controller upon the termination of the provision of services relating to processing; and
- will submit to specific audits and inspections.
Ensure GDPR Compliance with Bagchi Law
Whether your business is a controller entering into a DPA with a processor, or you’re a processor engaging with a sub-processor, it may seem daunting to meet each GDPR requirement. On the flip-side, failure to comply with GDPR can result in significant fines. While GDPR became effective in May 2018, there has been an exponential increase in the number of enforcement actions so it is more important than ever for businesses to focus on compliance.
Schedule a consultation today to learn how the team at Bagchi Law can help you with GDPR compliance.
An important decision every entrepreneur needs to make during the early stages of their startup is choosing when to engage with an attorney. Attorney’s Neil Bagchi and Glen Caplan join host Robbie Allen during the sixth episode of the For Starters podcast to help answer that question.>>
“What’s in a name? That which we call a rose by any other name would smell as sweet.” William Shakespeare, Romeo and Juliet Shakespeare suggests that a name isn’t all…>>
Bagchi Law is excited to announce our firm has added two new attorneys to the team. Tyler Demasky and Amanda Frazer-Collins recently joined our Chapel Hill law firm, and both will assist in our mission of serving our clients with the expertise of a big law firm, coupled with the care and agile nature of a boutique practice.>>
A crisis comes in all forms. Some are company-specific, while others are industry-specific. They can also be specific to geographical location or global. Regardless of the type of crisis, the Chief Financial Officer or CFO plays an important role, if not the most crucial role during these times.>>
Let's challenge the default together