GDPR and data processing: Ensuring compliance

For months now, you have been hearing about GDPR, its constraints and benefits, and you remember the long procedures you had to put in place to ensure you were complying with this new regulation on the protection of personal data.

It affects all businesses at some level or another, whether in their core business, or as part of their marketing and communication activities. Every database has to be processed. While this task may have seemed complex, or even somewhat tiresome, it has also given every business an opportunity to get its data collection policy up to scratch, spring clean its databases, and ensure that the data in them can be lawfully processed.

One of the main aims of the GDPR is the ability to accurately trace data flows and how data is conveyed from one organisation to another. The difficulty will therefore lay in the highly frequent cases of data processing. How then can this data processing be made GDPR-compliant?

As the (customer) data controller you must ensure that your data processors handling personal data are GDPR-compliant. If they are not, you are liable for the consequences.

In your role as data processors, it is therefore highly recommended to make the first move, and simply inform your customers that you are compliant. Customers need to know about, and agree to, your new personal data protection policy. They should be presented with the appropriate contract amendments for their approval.

Some questions will then arise.

• How can a business ensure customers have properly understood and approved the changes brought about to its personal data processing?
• How can the sending of contract amendments to all customers be best managed, automated and controlled?
• Where and how should evidence of customers’ consent be stored?

The French data protection authority (CNIL) considers, pursuant to the GDPR, that you are a data processorif “you process personal data on behalf, under the instruction, and under the authority of a data controller”.

Whenever you have responsibility for managing, storing or processing all or part of certain personal data on behalf of your customers, you are a data processor. This therefore includes the vast majority of IT and digital services providers, such as Yousign, communications agencies, marketing or human resources service companies and also some non-profit or public sector bodies that may be required to process personal data on behalf of other organisations.

It is reiterated that as regards the processing of a specific data flow, the data processor and the data controller are two separate legal entities.

The data controller is “the natural or legal person, a public authority, agency or other body that, individually or in conjunction with others, determines the purposes of personal data processing and the resources used.”

The data processor is the natural or legal person that will process such data at the request and on behalf of the data controller.

For example, suppose you have a database of potential customers you wish to contact via targeted marketing campaigns. You make use of a webmarketing services provider to do so.

The webmarketing company will process the data you send it, and it will therefore be the processor. You, meanwhile, will be the data controller.

Let us now imagine that this webmarketing company outsources some its own HR activities (payroll, social security returns, etc.). It is, under these circumstances, the data controller as regards its employees’ data. The HR services provider is therefore the data processor.

It is therefore highly likely that you can find yourself both the processor for your customers and the data controller for certain other data processing, whether or not you use data processors yourself. The best way to visualise these data flows clearly is to produce a diagram in-house showing the data controllers and processors for each flow.

The GDPR extended the processors’ responsibilities regarding personal data they process on behalf of data controllers. While the data controller is always primarily responsible for controlling data flows and data processing, the processor is not off the hook. According to CNIL (the French data protection watchdog), the processors’ obligations fall into four categories.

The relationship you maintain with your customer must be perfectly transparent. It is highly recommended to contractually formalise the obligations incumbent on all parties, as well as the general scope of your role. The benefit is to have a written document listing the actions that you can take on data transmitted by your customers or managed on their behalf.

You must in addition ensure that you have your customers’ explicit consent if you also make use of a data processor that will have access to all or some of the data that you process for which the customer is responsible.
Each change of processor and therefore change of data flow must be properly notified or even, if the terms of the contract between you and your customer so specify, give rise to a fresh agreement.

“The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.” 

General Data Protection Regulation, Article 28-2

All of your systems and services must comply with the general data protection regulation from the design stage.

You must further ensure that only data actually needed for the role you perform is stored and processed, and only by those persons authorised to do so.

You must be able to guarantee to customers that the data they entrust to you is kept safely. All of your employees processing such data must therefore be bound by a non-disclosure agreement in respect of the data.

You must also, at the end of your service provision and depending on your customers’ wishes, delete the data and/or transfer it back to your customers, unless you are legally required to retain it. This is the case, for example, with billing processes, or, as Yousign does, with documentary evidence connected to every signature processed within its application.

Being responsible for processing data on behalf of the data controller, it is agreed that you must provide support to your customers and advise them on the correct usage of the data processed. It is also incumbent on you to warn them when a risk arises in relation to their data or the processing.

You are consequently obliged to warn your customers when any request they make in respect of your role as processor infringes any provisions of the GDPR.

The GDPR also requires processors to do everything possible to enable data controllers to respond to requests from data subjects wishing to exercise their rights over their personal data (access, portability, the right to be forgotten, etc.) and to warn them in the event of security breaches.

This new regulation gives rise to new responsibilities for both data controllers and processors, and the implementation of new collection, processing and protection processes for personal data.

In recent months, you must have received, in both a personal and professional capacity, myriad emails and notifications asking you to read and confirm new general terms and conditions around personal data protection for your applications, processors, social media, e-commerce, etc.

All businesses handling data have had to undertake this exercise.

As the processor, and to be completely compliant with the GDPR, you must ensure that all of your customers have received, read and confirmed the new rules as a fully-informed choice. This necessarily entails changes, of varying significance, to the terms of the contracts you have entered into with your customers. In order to scrupulously follow the rules, you need to secure the signature of an amendment to the initial contract, or new T&C of sale, or even a new contract.

Once this document has been written, you will have to send it to all of your customers, track each individual procedure and ensure the document has in fact been signed by a person empowered to do so.

Electronic signature can make putting this procedure in place a much easier matter. An application such as Yousign will enable you to better manage this bulk sending of contract amendments to your customers, to track signature procedures, and quickly identify any that are causing problems by discussing the document directly with your customers.

Lastly, creating a documentary evidence file and retaining it, which is part of any procedure, will represent irrefutable evidence of the consent given by your customers to these new general terms and conditions.

_

While many organisations are currently happy to merely provide a checkbox saying you have read and understood their new privacy policy, the viability of this approach could be called into question. Will the new general data protection regulation not eventually require processors to ask customers and users to sign general terms and conditions of sale to ensure that they really have been actually understood and approved?

Sources :

https://www.cnil.fr/sites/cnil/files/atoms/files/rgpd-guide_sous-traitant-cnil.pdf

https://fr.privacyvox.com/nouveau-reglement/responsable-traitement-ou-sous-traitant/

https://www.village-justice.com/articles/rgpd-sous-traitance-des-questions-leurs-reponses,25724.html

https://www.appvizer.fr/magazine/services-informatiques/gdpr/rgpd-sous-traitant