PART 1: GDPR: where we are now
On 25 May 2018 the EU General Data Protection Regulations (GDPR) came into force, reshaping the way personal data is handled across every sector, and impacting boardrooms and consumers alike. A few months on, with GDPR now bedded in, some surprising impacts are emerging.
Controller versus processor: hands up – who wants to be a processor?
The status of an entity as a controller or a processor has different implications under the GDPR than it did under the previous EU data protection law. This has lead parties to re-assess the roles assigned them in various contractual arrangements. In particular, many service providers are now asserting that they are in fact controllers – despite previously being designated as processors. (A controller is an entity that has control over personal data; it determines how and why personal data is processed. The controller is often, but not always, the organisation that has the direct relationship with the data subject. A processor, meanwhile, is an organisation that processes personal data on behalf of a controller. The GDPR defines processing as any operation or set of operations performed on personal data, automated or not, including collection, recording, storage, alteration, use, disclosure and structuring.) Below we examine why the introduction of the GDPR has encouraged service providers to re-brand themselves as controllers.
The pre-GDPR world of processors and controllers
Previously a processor had no direct liability under the law: only controllers had statutory liability for breaches of the Data Protection Act 1998 (‘DPA 1998’) – even if the breach was actually caused by its processor. There was also a widespread assumption that service providers were always, by default, processors, despite longstanding guidance from the UK Information Commissioner’s Office (‘ICO’) and the European Data Protection Board (‘EDPB’, previously the ‘Article 29 Working Party’) confirming that service providers can be controllers, especially where their services involve professional expertise, such as legal services, accountancy, market research and recruitment consultancy. Vendors, suppliers and consultants of all descriptions would almost invariably be described as ‘processor’ in contracts with customers. This position had some benefits for both providers and customers, regardless of whether it was supported on the facts:
- Because any engagement of a processor had to be based on a written contract, customers could use this as a way of obtaining advantageous contract terms – such as generous liability provisions and indemnities from the provider to cover the customer’s liability as a controller
- Customers could exert control over the provider’s processing, including use of sub-contractors – because processors have to comply with controllers’ ‘processing instructions’. However, this was often based on a misapprehension that if the provider wasn’t a processor, they could do whatever they wanted with the personal data.
- Providers could avoid direct liability under the law, and just comply with the processing provisions in the contract. However, for providers with limited bargaining power forced to contract on their customers’ standard terms or accept significant amendments to their own, data processing provisions imposed by customers were often onerous and exposed the provider to greater potential liability than they might have had as a controller; whereas providers ‘big enough’ to contract on their own standard terms or amend their customers’ standard terms could limit their liability to amounts reflecting the fees paid by their customers, obtain decent insurance to cover such liability to their customers and water-down some of the more onerous obligations.
This practice continued widespread pre-GDPR, partly due to customer pressure on providers to accept processor status and pro-customer processing provisions and providers opting for an ‘easy life’ to get contracts signed, and partly due to a persisting lack of awareness among providers and customers alike that providers could in fact be controllers.
A changing landscape - processors and controllers under the GDPR
Processors directly liable under the law: Processors now also have direct liability under the GDPR in a number of areas, e.g. they now have to ensure that conditions for transfers of personal data outside the EEA are complied with, keep processing records, not engage sub-processors without the controller’s authorisation, implement security measures, notify controllers of security breaches and appoint a Data Protection Officer (DPO) or EU representative where applicable. Processors can be sued by individuals or representative bodies, be fined by supervisory authorities and be held jointly liable with controllers and other processors for damages paid to individuals. However, controllers still arguably have more obligations than processors under the GDPR, particularly in relation to transparency and demonstrating compliance.