GDPR Update – Data Processing Agreements
An organisation will often engage a third party to process personal data on its behalf (for example, by outsourcing payroll or by using a third party marketing agent). In such circumstances, the organisation is required to have a written contract in place with that third party in order to comply with the Data Protection Act 1998. The contract should stipulate that the third party (i.e. the data processor) will only act on the instructions of the organisation (i.e. the data controller) and will take appropriate measures to keep the personal data secure.
The General Data Protection Regulation ("GDPR"), which takes effect on 25 May 2018, stipulates additional contractual requirements which must be imposed on data processors. Any arrangements between data controllers and data processors in force on 25 May 2018 must be governed by a contract which meets the broader GDPR requirements. This obligation is imposed on both the data controller and the data processor. Data controllers and data processors should therefore review, and where necessary update, their existing arrangements to ensure compliance with the above.
In addition, data controllers are required to undertake due diligence to ensure that any data processor they engage is competent to process personal data in accordance with the requirements of the GDPR. Any due diligence should be documented should any questions regarding the competency of the data processor be raised in the future. One way of achieving this is through completing a data protection impact assessment. Codes of conduct and certification schemes will (as and when they become available) aid data processors to demonstrate compliance with the GDPR.
This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.