GDPR (Part 2):
How does GDPR Affect Your Business?
What is a DPA?
Before turning to a discussion of the practical impact of GDPR on covered entities, it is important to understand two additional terms defined therein:
- “controller” is defined in Article 4 of GDPR as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”; and
- “processor” is defined in Article 4 of GDPR as “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
If your business processes personal information related to individuals residing in the European Economic Area, or provides such information to any other entity, you are likely already familiar with the concept of a data privacy agreement. GDPR requires certain contractual provisions govern the relationship between controllers and processors. These contractual provisions are generally found in a data processing agreement, commonly referred to as a data processing addendum or “DPA.”
The most fundamental provisions required by GDPR are found in Article 28 Section 3 of GDPR. Such section requires “processing by a processor” be “governed by a contract…that sets out:”
- the subject-matter of the processing;
- the duration of processing;
- the nature and purpose of the processing;
- the types of personal data subject to processing;
- the categories of data subjects (whose data is being processed); and
- the rights and obligations of the controller.
In addition to the above, GDPR sets forth a number of stipulations applicable to processors, which must be contained in the relevant agreement or DPA.
Such stipulations include the following:
- the processor must act only on the controller’s documented instructions, unless required by law;
- the processor must ensure that individuals processing the controller’s personal data are subject to an appropriate duty of confidence;
- the processor must take appropriate measures to ensure the security of processing;
- the processor may only engage with a sub-processor with the controller’s prior authorization and pursuant to a written contract containing appropriate protections;
- the processor must take appropriate measures to help the controller respond to request from individuals to exercise the rights provided to them under GDPR;
- taking into account the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations in relation to the security of processing, notification of personal data breaches and data protection impact assessments;
- the processor must delete or return all personal data to the controller upon termination of the provision of services relating to processing; and
- the processor must submit to certain audits and inspections.
Whether your business is a controller entering into a DPA with a processor, or you’re a processor engaging with a sub-processor, it may seem daunting to ensure each requirement of GDPR is met. On the flip-side, failure to comply with GDPR can result in fines ranging from 10 million euros, to four percent of a business’s annual global turnover. While GDPR was implemented in May 2018, this year has seen an exponential increase in the number of enforcement actions. And as the US begins implementation of its own data privacy regulations, it is more important than ever for US businesses to begin thinking about compliance.