John Greenwood, Director of Thought Leadership at Compliance3, who recently addressed members of the BVSF at their AGM, has provided us with an overview of what your obligations are with regard to the GDPR and, managing your 3rd party system providers.
The General Data Protection Regulation (GDPR) becomes legally enforceable on 25th May 2018. Described by the UK Data Commissioner and many industry commentators as a ‘game changer’, this regulation is creating a significant level of discussion across all industry verticals. Having predominantly been in the domain of the legal, risk management and information security communities, data protection considerations are now impacting on all business operations, irrespective of how much data they process and which third parties they might use to support processing.
In terms of scale, the GDPR represents the most significant change in the vehicle processing environment in terms of risk to vehicle dismantlers (data controllers) and the specialist third parties supporting data processing (data processors and sub-processors). Made up of 173 recitals and 11 chapters containing 99 articles, the GDPR puts great emphasis on transparency, which means an obligation on controllers and processors to share information with their customers and to keep that data secure. In real terms this can be summarised by saying that the regulation transfers the ownership of data back to the data subject and puts our rights above those of the controller and processor.
GDPR puts the rights of the data subjects above all others, legally obliging both data controllers and data processors to put the interests of the data subject above their own.
Looking at the regulation in more detail, after setting out General Provisions in Chapter I and Principles in Chapter II, the regulation then describes our rights (as data subjects), some of which already exist under the previous EU legislation (which underpinned the UK’s current Data Protection Act), others of which are new. Collectively, these new entitlements, allow us as data subjects to seek ‘remedies’ which are laid out much later in the document, in Chapter VIII (Remedies, Liability & Penalties).
Within Chapter VIII, under Article 79, we have the right to effective judicial remedy against the controller or processor and, under Article 82, we have the right to compensation. That compensation is unlimited. However, what really makes GDPR the ‘game changer’ that many describe, are three more fundamental changes:
- The first is that Chapter VIII entitles the data subject to seek ‘remedies’ from both the data controller and the data processor, as well as the data processor’s entire supply chain supporting the processing of data. That means a notable change in risk profile for all data processors and the sub-processors who support them in processing transactions, which in turn means that all contracts between all parties have to be reviewed in the context of this change.
- Secondly, there are specific obligations on the data controller and the data processor in Chapter IV to document all data processing to the extent that those parties are guilty until they can provide evidence that they have met those obligations within the regulation.
- Finally, again under Chapter IV, Article 28 puts two obligations on controllers and processors in that it states “where processing is carried out on behalf of the controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
In terms of using third parties, Article 28.2 clearly states that “the processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.”
Article 28 therefore introduces the idea of a ‘chain of compliance’ where the data controller’s ongoing compliance is dependent on the compliance of their supporting data processors and sub-processors. Food for thought. For further information on your new data processing obligations visit the ICO website at www.ico.org.uk
About the author
John Greenwood is Director of Thought Leadership at Compliance3 and helps merchants reduce the time, cost and effort in meeting their payments and personal data compliance obligations. He has spent over 25 years in the customer contact centre space helping leading brands interact with their customers to reduce cost and improve service.
Compliance3 is a technology agnostic professional services firm with a heritage in delivering large change projects in the contact centre environment. They help governing bodies and acquiring banks define and support compliance guidelines whilst at the same time help public as well as private sector organisations meet their payments and personal data security obligations, reducing the time, cost and effort in achieving and maintaining compliance.