Navigating GDPR is something of a challenge. If you’re unfamiliar with the General Data Protection Regulation (GDPR) you may wish to take a look at the article below as a starting point:
GDPR: A Practical Perspective
If you’re familiar with GDPR and busy readying your practice for May 25th 2018 one of the key things you will need to consider is the location of your data.
In reality, the decision is pretty straightforward. Below is the ICO (Information Commissioner’s Office) guidance on the location of your data:
Bottom Line: If your provider stores your data in the EEA (as we do) you’re in good shape. Obviously this isn’t the whole story in relation to GDPR but it is one that is raising a lot of questions and in some (but not all) cases getting some pretty sketchy answers.
If you work with a provider that doesn’t store your data in the EEA you may wish to clarify your position as we have seen a number of statements along the following lines from non-EEA providers:
“Don’t worry, our hosting provider (Microsoft/Google/Amazon) will ensure that we’re fully compliant with GDPR”
“Don’t worry, all you will have to do is agree to a new DPA (Data Processing Agreement)”
Point 1 is a major red flag! The provider (whoever they are) is your data processor and as such they and ONLY they are responsible for ensuring that they comply with GDPR. Hosting providers like Microsoft/Google and Amazon are sub-processors to the provider and as such any Data Processing Agreement is between them and the provider.
Point 2 is somewhat misleading but as we’re not lawyers we decided to hand this one over to the Data Protection team at Aaron & Partners. Here is their professional opinion on this point:
While it is quite correct that whenever a data controller uses a third party data processor, there is a need to have a written contract in place, that Agreement will not:
- Alone, be a substitute for due diligence into the data processor – controllers will still need to satisfy themselves that the third party processor can provide sufficient guarantees that the requirements of GDPR will be met and the rights of data subjects protected;
- Alone, ensure compliance with GDPR relating to data transfers. Controllers will still need to undertake a review of their existing data practices, policies and legal documentation (including inward facing data protection policy, terms and conditions of business, standard contracts, privacy policies and statements).
While a data processing agreement, which includes the clauses prescribed by GDPR will be required, this is only part of the GDPR puzzle. All data controllers, particularly those who transfer data to third parties will need to undertake a review and consider all of the following:
- Data mapping – what personal data is held and where;
- Review inward facing data protection policies and procedures;
- Appoint a Data Protection Officer;
- Assess the lawful bases for processing personal data and special categories of data;
- Review consent mechanisms – GDPR sets a high standard for consent where this is relied upon. Controllers should also assess whether another lawful bases is more appropriate. There are far more stringent rules around consent under GDPR than under the DPA. If consent is being relied upon any specific third party organisations who will rely on this consent to process the personal data must also be identified;
- If legitimate interests of the data controller are being relied upon, then this may require:
- A legitimate interests assessment;
- GDPR imposes more obligations around documenting compliance – keep records of what an individual has consented to, including what you told them, and when and how they consented.
- There are a number of a data subject rights which need to be drawn to data subject’s attention;
- Carry out Data Protection Impact Assessments.
- If your provider is vague or imprecise about their GDPR plans you might question their awareness and knowledge of GDPR, which may have a direct impact on your business
- If your data isn’t held in the EEA, your provider must ensure that individuals’ rights are enforceable and that effective legal remedies exist for individuals. The point here is that if your data is held in the EEA, direct action (legal, regulatory, criminal etc) can be taken by the appropriate enforcement agency (ICO in the UK) against a data controller/processor in the event of a breach – so the EU is happy! If the data is held outside the EEA (for a practice operating in the EEA) and therefore outside of the EU’s jurisdiction they require that you (and your provider) ensure that any individuals whose rights are infringed have the exact same right of recourse as those whose data is held in the EEA. Many organisations like Google, Microsoft, Facebook have addressed this issue and to be clear its not unsurmountable, however if your provider is palming you off with platitudes like the ones listed above you might have some issues.