You may have read recent media reports about the EU’s General Data Protection Regulation (GDPR) which came into force on May 25, 2018. This legislation aims to enhance individuals’ protection from privacy and data breaches and improve how organizations approach data privacy. Practically speaking, the GDPR will impact individuals and companies around the world, not only those residing in the EU. If your business ‘controls’ (i.e. in any way determines what to do with) personal data of individuals in the EU, perhaps because you offer goods and services to individuals in the EU or monitor individuals’ behavior inside the EU, you should certainly continue reading. We would like to take you through the immediate steps controllers should be taking in relation to their data processors, in order to comply with the GDPR.
Controllers and Data Processors
Controllers are accountable under the GDPR for making sure that processing activities are compliant. Chances are, if a controller handles a large amount of personal data, it uses a third-party to process that data. The GDPR defines ‘processing’ as including, for example, collecting, gathering, storing, sorting, modifying, using and making available personal data by electronic means. Processors located physically outside of the EU (e.g. cloud services) are also caught by the broadly worded definition. The requirements for processing personal data under the GDPR are more strict than under Canada’s federal privacy laws (Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), or “PIPEDA”) and stress the main objective of data protection and security in describing necessary safeguards.
The GDPR not only urges controllers and third-party processors to review their existing agreements, but also goes a step further and provides requirements for data processing agreements. A controller should:
- Begin by conducting and documenting its due diligence, and vetting potential processors before entering into an agreement. A compliant data processing agreement should, for instance, set out the processor’s responsibilities, describe processing activities (term, purpose, types of data, etc.), set out how data will be handled when the agreement terminates, and restrict the processor’s ability to subcontract its services without the controller’s consent.
- If they are satisfied with a current third-party processor, audit their existing services agreements, and renegotiate certain terms in order to best shield their business from potential liability under the GDPR. A major focus should be placed on updating representations, warranties and indemnification provisions, and perhaps requiring additional insurance from the processor. Controllers may wish to engage a privacy lawyer to assist with this undertaking.
Keeping Privacy in Mind Mitigates Risk
There is no doubt that the GDPR will increase a controller’s potential liability, as well as the cost of contracting with third-party processors. At the same time, the penalties under the GDPR have been expanded significantly, and are worth the extra effort to avoid. Overall, the GDPR is yet another indicator of the trend toward designing products and systems with privacy in mind, as opposed to privacy as an afterthought. The best way to mitigate your risk is to move forward with this mantra in mind, and embrace the shift toward more transparency and control for data subjects.
What are your main concerns with managing and preparing for GDPR compliance? If you have any comments and opinions on our blog post, please leave them on our Linkedin pages www.linkedin.com/in/wendyhulton, www.linkedin.com/in/lianadigiorgio or on the Dickinson Wright Canada LinkedIn page or Twitter page @DWrightCanada.
About the Authors:
Wendy Hulton is a Partner in Dickinson Wright’s Canadian Employment Law Group. She provides employment law advice to a wide range of employers on a variety of workplace issues, including discipline and wrongful dismissal matters, workplace privacy, human rights management and litigation and health and safety issues. In addition, she provides advice on cannabis, dietary supplements, natural health products, foods, drugs, cosmetics, medical devices and a wide range of consumer products. Wendy can be reached at 416-777-4035 or email@example.com and you can visit her bio here.
Liana Di Giorgio is an Associate in Dickinson Wright’s Toronto office. Her corporate practice includes funding transactions, private company mergers and acquisitions, cross-border work, negotiating and drafting commercial agreements, and business formation, structuring and reorganizations. She also has significant experience advising emerging businesses and technology companies, and has assisted entrepreneurs with estate planning matters. Liana can be reached at 416-646-4610 or firstname.lastname@example.org and you can visit her bio here.