GDPR AND DATA PROTECTION AGREEMENTS
Let’s be realistic, most businesses have been a tad hazy about data protection. We all know that the Data Protection Act (DPA) 1998 exists but for the main part we tend to imagine that a couple of policies on the website about privacy and cookies means we’re all done. Most businesses who should be registered because they process personal data (marketing anyone?) are not, despite the fact, that the Information Commissioner’s Office (or ICO who supervise and enforce data protection) makes it plain that it’s a criminal offence not to be registered.
Perhaps data protection is one of those compliance issues that you feel you don’t have to worry about unless and until something happens.
Well now it has.
GDPR comes into effect on the 25th May 2018 with the biggest data protection changes in 20 years. Since its aim is to offer better protection to an individual’s personal data it’s no surprise that changes include:
- a broader definition of exactly what personal data is to include, for example, online identifiers including IP addresses, cookie identifiers and even pseudonymised data (for example key-coded data) if it means that an individual data subject could be identified from that data you hold or are able to access.
- more responsibility for anyone who uses an external data processor to process data on their behalf
- a requirement to prove that you comply with your data protection obligations (unlike under current law)
Do I use data processors?
Probably, because most businesses do use data processors.
As a business you will no doubt delight in collecting all the useful names and email addresses (personal data) from individuals (data subjects), perhaps because they are existing buyers or they’ve signed up for a freebie on your website. You’re a data controller because you control how that data is processed/used.
However, you will then probably ask a data processor to process (do something with) that data. The data processor could be an employee or freelancer (such as your book-keeper) or a separate organisation offering specific services. What about the people who send out newsletters or bulk emails on your behalf (via their website service)?
So how will GDPR change this?
As mentioned above, GDPR changes will now include the following:-
- data which is not considered personal data under current law will be under GDPR
- if you are using data processors, as a data controller there is more responsibility on your shoulders
- you must not only comply with your GDPR obligations, but be able to show/prove that compliance.
So what should you do about this?
(1) The first step is of course to be absolutely clear about what information you currently hold, what you intend to collect and to clarify whether
- you need that data for a legitimate purpose
- you are able to legally use it in the way that you intend (for example, you have a GDPR valid consent)
(2) Once your are clear about your data examine who your data processors are and check that you have written agreements in place with them and that those agreements mean that, ultimately, you will be GDPR compliant.
Don’t worry if you’re not quite there because you still have time to get your Data Protection Agreements in place.
What is a data protection agreement?
A Data Protection Agreement is a written agreement between you, as a data controller and the person/organisations who will be processing the data you control. The agreement should set down the basis of
- how and when your data can be used (purpose of processing)
- who else, if anyone, can process it (for example sub-contractors)
- the duties on the data processor (such as legal and security requirements so they/you remain GDPR compliant)
Data Protection Agreements don’t have to be lengthy, expensive or complicated – you just need to be sure that that all of the data you control will always be GDPR compliant, including when it’s being used by a data processor on your behalf. After all, a mistake made with personal data you control will be your problem.
This means taking the time to review existing agreements too. For example, if you use newsletter services or website analytical services the supplier organisations may already have standard agreements.
The good thing is that, once you’ve got your data protection agreements in place, you can incorporate this as part of your data protection policy (when you work with new data processors and can make plans for regular review) making it much easier to comply with your obligations and be able to produce the proof that you do.