In many trading relationships, there will be a flow of data from one business to another – and where that data consists, wholly or partly, of ‘personal data’, the law requires certain provisions to be included in a written agreement. And with the implementation of the GDPR, those ‘data processing clauses’ are set to become rather lengthier than they currently are.
Definition under the DPA
Where a data processor carries out any processing on behalf of a data controller, the data controller does not comply with the DPA unless there is a written contract between the two parties that includes, as a minimum, the following two clauses:
- the data processor must only act on the data controller’s instructions
- the data processor must use appropriate technical and organisational measures to prevent unauthorised or unlawful processing of the data, and accidental loss or damage to the data
What does the DPA definition really mean?
There must be a written contract when one business processes personal data on behalf of another business, but the clause relating to data protection can (if the businesses only want to comply with the absolute minimum legal requirement) be very short and simple.
Definition under the GDPR
Where a data processor carries out any processing on behalf of a data controller, the data controller does not comply with the GDPR unless there is a written contract between the two parties that includes, as a minimum, the following clauses:
- a summary of the subject-matter of the data
- the length of time that the processing will continue
- the nature and purpose of the processing
- the type(s) of personal data that will be processed
- the categories of data subjects whose personal data will be processed
- a statement of the obligations and rights of the data controller
- the data processor must only act on the data controller’s documented instructions
- all of the data processor’s personnel who access the data must be subject to appropriate confidentiality obligations
- the data processor will comply with the requirements in the GDPR regarding security measures and encryption
- the data processor must assist the data controller in dealing with requests from data subjects, dealing with data breaches and conducting impact assessments
- the data processor must delete or return (at the data controller’s choice) all personal data at the end of the contract, or when the need for processing ceases
- the data processor must provide any information the data controller requests in order to demonstrate compliance with the GDPR, and to allow the data controller to audit and inspect the data processor’s compliance
- the data processor must not delegate the processing to a sub-processor without the data controller’s written consent (and then only on the basis of a written agreement which contains similar terms to the list above)
In addition, a data controller is only permitted to use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures in order to meet the requirements of the GDPR, and protect the rights of the data subject.
What does the GDPR definition really mean?
There must still be a written contract when one business processes personal data on behalf of another business, but even a basic clause will now be far longer and more detailed, often running to a couple of pages of text.
But in addition, it is unclear how a data controller is expected to obtain a guarantee that the data processor uses appropriate forms of data protection – the extent of that burden is likely to be clarified over time.
What are the significant differences between the DPA and the GDPR?
Whereas there were only two specific requirements under the DPA, there are now far more specific requirements under the GDPR. The need for a written agreement does not change – it is still required in relation to any relationship where one party discloses personal data to another.
In addition, a data controller must also satisfy itself that the data processor uses appropriate methods to protect the safety of any data it holds.
What effect will this have on UK businesses?
UK businesses now have to amend all agreements where there is a flow of personal data in order to comply with the more-detailed GDPR requirements, whether they are the data processor or the data controller … and ‘simple one-page’ agreements will no longer satisfy the requirements of the UK’s data protection laws.
The GDPR does say that the European Commission and the UK Government can, if they want, publish ‘standard clauses’ that deal with all the GDPR requirements and UK businesses will satisfy the GDPR if they incorporate these clauses within their trading agreements. There have been no such publications so far, so those businesses wanting to get ahead will need their own bespoke versions.
What will my business need to do?
First, identify every single relationship your business has with suppliers, customers, outsourcers, contractors, agents, resellers, distributors, etc, where either you disclose any personal data to them, or they disclose any personal data to you. It doesn’t have to consist of masses of personal data – even disclosing a single name of a contact person would be enough.
Secondly, for each of those relationships, identify whether you are the data controller, or you are the data processor. It is likely that you will want to agree a slightly different data clause depending on the answer – as a data controller, you’ll inevitably want to shift as much burden onto the data processor as possible, but as a data processor, you’ll want the data controller to be fully responsible for compliance with the law.
Finally, identify whether there is an existing contract in writing between the two parties. If there is an existing contract, then you have to agree an amendment to that contract (which shouldn’t be a problem in principle, as the other party should also be keen to amend that contract to comply with the GDPR). If you do not have an existing contract, then you have to enter into a written agreement, ensuring that the agreement includes the required data clause.
It may be that, dependent on timing, you can use the ‘standard clauses’ published by the European Commission or the UK Government.
Any and all contracts that you enter into that involve a flow of personal data should already include a suitable data clause that complies with the GDPR.
My business doesn’t really bother with written contracts – is that a problem?
Ignoring the wider issues of not recording an agreement in writing, and concentrating purely on the data elements – the answer is ‘it depends’. If you disclose any personal data (including such basic data as an individual’s name and contact details) to the other party, or they disclose any personal data to you, then the current DPA requires there to be a short agreement in writing. A failure to have a written contract will put the data controller (whether that’s you, or the other party) in breach of the DPA. A failure to have a written contract will put both parties in breach of the GDPR.
Ok, I’ll have a written agreement if I must – but can it cover just the data clause?
Yes, in theory, the DPA only requires you to have a single, short clause in writing. The rest of the contract can be unwritten, if you want (although there are wider risks of not recording an agreement in writing). The same goes for the GDPR – you need only record the data clause in writing … it’s just that the data clause under the GDPR is rather more detailed.
Every agreement must contain a data clause?
No. Only contracts where there is a flow of personal data from one party to the other. That ‘flow’ does not have to be regular, it can simply be a ‘one-off’ disclosure of very basic personal data.
Why do I need to work out whether I’m a data controller or a data processor?
The DPA only applies to data controllers and therefore, as a data processor, you cannot be in breach of the DPA. The GDPR applies to both data controllers and data processors. Based on that fundamental principle, a data controller will inevitably want to shift as much burden onto the data processor as possible, seeing it as an opportunity to delegate its responsibilities. If you are the data controller, then that may be your valid objective. But on the other hand, as a data processor, you’ll want the data controller to be fully responsible for compliance with the law, and you’ll not want to accept any responsibilities for compliance with the GDPR. It is probably sensible, therefore, to have two ‘standard’ data clauses that you can use, depending on the particular situation.
So now, I’ve really got to include everything in the list above in my contracts where I disclose or receive any personal data? What if I don’t?
Yes, you do. That’s what the GDPR requires. If you don’t then, in theory, both parties could be fined up to €10 million or 2% of annual global turnover (whichever is greater). And if any data subject can demonstrate that they’ve suffered damage (even minor damage to reputation) as a result of your non-compliance, that data subject can bring a claim for compensation against you. And it might feasibly get worse – the UK Government can introduce its own national laws laying down other penalties for non-compliance.
- Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
- Data processor means the person/business that processes personal data on behalf, and in accordance with the instructions, of a data controller.
- Data subject means the living individual that is identified, or can be identified, from the personal data.
- DPA means the Data Protection Act 1998, the statute that previously governed the processing of personal data in the UK.
- GDPR means the General Data Protection Regulation, the EU law that is now in place of the Data Protection Act 1998.
- Personal data means any data from which a living person can be identified.
- Process means to do just about anything with personal data, e.g. collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, erasing, destroying or otherwise making the data available to somebody else.
This briefing is based on the law as it stands in April 2017. It is possible (and, indeed, likely) that, before the GDPR comes into force in May 2018, the Information Commissioner’s Office will release a number of guidance notes that will help to interpret the GDPR. These guidance notes may offer additional advice for UK businesses, and may even cause some of the information in this briefing to become incorrect. As a result, this briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.