GDPR and informed opinion
26 May 2017 | 0
But as the countdown continues to the deadline, now less than a year away, these points will hopefully be discussed, explored and worked out. Worked out by people like Aoife Sexton.
Sexton is a privacy and tech lawyer, and co-founder of Frontier Privacy.
She has been pretty busy of late, talking about the various aspects of the regulation and this week saw here before the assembled partners, vendors and staff of CMS Distribution at its 2017 partner forum.
“If you are a data processor, the world has changed,” Aoife Sexton
Here, she focused on the relationships between data controllers, data processors and sub-processors, as many of the vendors in the room would come under the headings of the latter two.
Acknowledging that “processing” is a widely-defined term, Sexton said that while a data processor may be processing on an outsourced basis for a data controller, a processor would not make policy decisions as to what is done with the data. A data processor would simply carry out the directions of the data controller.
However, Sexton also pointed out that under the regulation, a data processor must inform the data controller if an instruction with respect to the data, breaches the GDPR or other regulation.
This is a major change, she argued, and added “If you are a data processor, the world has changed”.
She said that GDPR imposes direct statutory obligations on data processors. Data processors can be liable, under Article B2(2), to fines if they have not complied with processor specific obligations in GDPR, or if acting outside of instructions from the relevant controller.
Also, Sexton pointed out that a controller and processor could face action by an individual for damages where there is no financial loss. GDPR provides the right to claim for material and non-material damage, where the latter covers distress, emotional impact or reputational damage.
The situation of data sub-processors was also made clear, as Sexton said that any contractual clauses governing data between a controller and processor must cascade down to any contracts governing sub-processors. With examples such as a controller outsourcing to a service provider, who in turn has a hosting contract from another provider, who in turn has a fail-over arrangement with a further provider. In this case, the contractual elements must cascade down to all points of the chain, irrespective of where those providers, as sub-processors, reside. Unless of course, the data is barred from leaving a jurisdiction or geographical area.
There will also be a significant amount of re-engineering of contracts, said Sexton as there will be “no grandfathering of existing contracts” that run past the enforcement date of 25 May 2017.
As more and more organisations, from cloud giants to SMEs, work their way through the regulation, more such items will turn up that require increased definition.
The Article 29 Working Party will provide further clarifications and legal interpretations, but some points may end up with a best guess until tested.
When asked what her feeling was in terms of how the data protection commissioners will comport themselves after 25 May, Sexton was circumspect.
She said that the DPC Helen Dixon, in interviews, has said that there is no grace period after the 25 May—this is the grace period.
“If you were trying to guess,” said Sexton, “you would say she is going to come out of the traps with a couple of big fines straightaway.”