Can data processors benefit from the GDPR?
In just under a year, the toughest privacy law in European business history - the GDPR - will come into effect. Impacting the systems and practices that are core to effective and compliant data processing, it’s easy to feel your heart sink at the prospect of this forthcoming change in legislation. But, don’t overlook the opportunities that are also presented by this change. By getting your GDPR house in order, you can drive competitive advantage.
Data Processor or Data Controller?
If you are processing personal data, or sensitive personal data, under instruction from another organisation, then you’re considered a Data Processor.
Examples of some Data Processors (DPs) are:
- a company which is providing SMS services to a marketing department
- a business process outsourcer such as a call centre or payroll provider
- a recruitment provider for an HR department
Other examples include system integrators, bespoke software development houses, hosting providers, project management firms, resellers, consultancy houses and those who are providing services within a partnership model. All these are examples of companies that handle data on behalf of another company – which is considered the Data Controller (DCs), as they determine why and how any personal data is held, and the purpose behind the processing of that data. Within the forthcoming GDPR, the term ‘processing’ is very broad and this will mean that core components and responsibilities of this new legislation will be extended to Data Processors.
B2C and B2B – any differences?
Current and upcoming data protection legislation focuses primarily on business-to-consumer industries, as the intent is to uphold the privacy rights of individuals and their relationship with organisations who process personal data on their behalf. Business-to-business focuses more on the commercial relationship between organisations. Where the difference becomes clearer, and highly relevant, is in the part of the legislation which covers consent for marketing. For B2C, under the GDPR, all consent must be explicit, meaning that a box must be ticked by the consumer to give consent. Pre-ticked boxes will be a thing of the past. For B2B, consent can be assumed, with the ability to opt-out later.
What will the impact of the GDPR be on Data Processors?
In the examples above, where DPs are handling large volumes of personal consumer and employee data, the GDPR will compel them to make a number of changes, such as to:
- identify a Data Protection Officer, where relevant
- articulate how consent, privacy, security etc. will be obtained and maintained in contracts with client customers
- contribute to the completion of Privacy Impact Assessments
- provide evidence of the implementation of the GDPR across the data processes
One critical change coming from the new legislation (due to come into effect in May 2018), is that Data Processors will now share liability with their Data Controllers, which introduces both a huge increase in commercial risk for DPs, but also shows where the opportunity lies for them to gain competitive edge over other suppliers.
Using GDPR compliance to drive business
In a world where companies have great choice over their suppliers, being able to demonstrate your commitment to best practice and data compliance is a real differentiator. To many companies, data is now worth more than oil. It’s a simple fact that well maintained data can be a company’s greatest asset but, considering recent headlines, on the flip side poorly maintained data represents a huge risk. This risk is about to increase, with non GPDR compliant companies being faced with fines in the range of €20 million or 4% of total worldwide annual turnover, meaning larger companies could potentially face billions of dollars in fines not to mention a severely damaged reputation.
Increasingly, we find that clients are looking to work with agents who are supporting their compliance endeavours, not being the weak link in the chain. As a Data Processor, if you can evidence good practice and contribute to your client company’s confidence in their ability to demonstrate compliance should the ICO come knocking, you will be more favourably considered than alternative providers that could put their clients at risk.
What does best practice look like?
Introducing best practice for data processing will require Data Processors to look at 4 main elements:
- Familiarisation with the obligations of the GDPR
- Completion of a comprehensive process-based risk assessment to determine what your operational risks look like (click here for more info)
- Get a comprehensive and sustainable implementation plan in place (click here for more info)
- Get your contracts proactively re-aligned
How can PrivacyEngine help?
PrivacyEngine provides lifecycle support, from assessing the current situation, identifying needs and - via our cloud-based SaaS product, Privacy Engine - managing the ongoing process of identifying and mitigating risk. Our approach is designed to specifically drive a working framework to rapidly get a tech firm up to a level where they can achieve all the above in a practical and efficient manner.
Our risk assessment identifies detailed operational risks around the decision making and assumptions related to personal data. We then create a detailed implementation plan to help you drive these changes through your organisation. In addition, we provide you with the best online solution to manage this work, and demonstrate in detail to the regulator how you are risk mitigating and identifying new risks across all of your processes on an ongoing basis. Finally, we provide you with a knowledge transfer process to quickly allow you to manage this yourself and leverage this best practice.
Once you have these steps underway, it’s critical that you ensure your sales staff are able to position all of this good work as a USP to clients. It is our belief that Data Processors who can demonstrate competence, knowledge and commitment to the above approach will provide greater confidence to clients and thereby differentiate themselves from their competition.