Controllers and processors have always enjoyed a special relationship under data protection law. That relationship has been generally one where the controller takes on all of the responsibility for any shortcomings of the processor. Fines are imposed on the controller, enforcement notices are dished out to the controller, the responsibility for cleaning up after a data breach sits with the controller. Under data protection law a controller is a person or entity who determines the purposes and means of processing personal data. A processor simply processes the data on behalf of the controller. Data Controllers often don’t fully understand their obligations under the Data Protection Acts. This lack of understanding can lead to poor controls in relationships with data processors that potentially expose the data controller.
6 common errors and 6 rules to remember
Here are the 6 most common mistakes that data controllers make when dealing with data processors. I’ve translated these into 6 rules for you as a data controller to remember when dealing with your data processors!
1. Once a data controller – always a data controller
Data Controllers often misunderstand the nature of their relationship with data processors. For instance, I have heard of situations where data controllers have attempted to place a clause in contracts to get data processors to agree to become controllers of the data they are processing. This is meaningless and unenforceable. If you have determined the purpose and means for processing the data as defined in law, you are a data controller and you can never contract that role out. Rule number 1: The law defines the role of data controller and that cannot be contracted out.
2. Data controllers often fail to put in place written contracts with data processors.
A data processor must be given written instructions from the data controller. The new EU General Data Protection Regulation coming into force in May 2018 contains specific instructions about how the controller must instruct the processor – including guidelines on confidentiality, engagement of sub-processors and deletion of the data once processing is complete. As a general rule a Data Controller must instruct the data processor about what processing to do on the data, the data processor then uses their own expertise to determine how to process the data. Rule number 2: Everything a data processor does must be under contract
3. The data controller is responsible for ensuring a data processor is competent
When the Irish company Loyaltybuild had a major data breach in 2013, the clients who engaged them were held accountable by the Data Protection Commissioner for not having done due diligence on LoyaltyBuild’s capabilities and data security processes. The expectation is that the data controller takes two steps – due diligence prior to engaging a data processor and regular checkpoints during the relationship with the processor. Rule number 3: Audit the data processors capabilities prior to engaging them and at regular intervals during your relationship.
4. Most data controllers fail to set a retention policy with data processors.
Back to LoyaltyBuild once more! LoyaltyBuild had many customers across Europe and the data protection commissioner examined all of the customer contracts. Most of the contracts had at least one or two points of weakness and these varied from contract to contract. What the contracts all had in common was that none of them set out data retention policies. Not one single contract specified a data retention period. Rule number 4: Make sure all your contracts with data processors have clear and unambiguous data retention periods.
5. If there is a data breach by the data processor, the controller must take action.
A common mistake controllers make is in the event of a data breach by a processor. The controller often expects the processor to do the “clean-up”. The controller expects the processor to contact the data subjects to inform them of the breach and can be quite shocked to find its their responsibility – and their business reputation that is on the line. Rule number 5: You can outsource the data processing activity – but not your responsibility as a data controller.
6. The controller is responsible for ensuring that the data subject can exercise his/her rights.
Data subjects – otherwise known as your customers! – have the right under data protection law to make a data access request. With certain exceptions you must provide the data subject with a record of all the information you hold about them with a strict timeframe. If you have contracted certain data processing to a data processor, you are obliged to ensure that the processor can meet the requirements of data subject access requests also. This means you must ensure that they can produce all the personal data they process relating to an individual data subject in writing or in electronic format within the time limit allowed. Rule number 6: Make sure the data processor can respond to data access requests in full and in time. This article is a short and simple introduction to the controller / processor relationship. The EU General Data Protection Regulation (GDPR) introduces stricter guidance for controllers and processors. I will be coming back to this topic!