In addition to bolstering the rights of individuals, and increasing the level of fines applicable in the event of a breach the regulations make further provision to ensure that Data Controllers and processors effect good governance and to ensure transparency and accountability.
Where the processing of personal data is carried out by a Data Processor on the controller’s behalf there is now a requirement for that relationship to be governed by contract. Article 28(3), states
“processing by a processor shall be governed by a contract or other legal act…that is binding on the processor with regard to the controller and that sets out the subject matter and duration of the processing, the nature, and purpose of the processing, the type of personal data categories of data subjects and the obligations and rights of the controller”
Any business operating as a Data Controller will ultimately have responsibility for complying with and being accountable for compliance with the regulations. It is suggested therefore that Controllers only appoint Processors who can provide ‘sufficient guarantee to implement the appropriate technical and organisational measures’. Agreements should, therefore, ensure that they set out clearly the subject matter and duration of the processing, the nature and the purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the controller.
In order to demonstrate compliance with the regulation, businesses will need to ensure that they implement appropriate technical and organisational measures. Both Controllers and Processors will have obligations under the regulations to maintain records, and in the case of Data Processors a record of all data processing activities carried out (Art 30). However, some head space is provided for organisations consisting of less than 250 employees unless the processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional or processing includes special categories of data.
There is consequently an expectation that organisations will put in place comprehensive, but proportionate, governance arrangements. The undertaking of Data Protection Impact Assessments are now a requirement, and in particular where new technology is intended to carry out the processing. These assessments are designed to assess the impact on the envisaged processing on the protection of personal data. Any new technology or process should also confirm with the requirement of privacy by design. Privacy by design is the concept that envisages that data protection is taken into account from the inception of a project, rather than being considered as an afterthought. This approach, whilst not presently legislated for, has been encouraged.
The reality of the obligations placed on business and organisational bodies, in complying with the regulations, is that there will be a greater number of policies and procedures being required, and the need to document relevant processing activities.
Should you need any advice and assistance in looking at the contractual arrangements you have in place, or will need in place, or have concerns over the processes and procedures you have in place to ensure data protection under the regulations, then please contact Richard Burraston on 01293 596984 or by e-mail at Richard.firstname.lastname@example.org or Paul Dungate on 01293 596981 or by e-mail at email@example.com