The introduction of the General Data Protection Regulation (GDPR) on 25 May 2018 means big changes in the responsibilities of data processors. Currently, data controllers have direct responsibility for the processing of data, but when the new regulations come into force, more of the responsibility will fall to data processors.
They will have more obligations, when it comes to helping the data controller ensure that data is processed in accordance with the stipulations of GDPR, and that action is taken to limit the risk of data breaches occurring. Given the changes that are talking place, having accurate guidance to rely on is important for both controllers and processors. This is the reason for the publication of the guide for data processors, referred to as the Guide which was produced by the French Data Protection Authority.
Why is the Guide so useful?
The French Guide followed close on the heels of the guidance that was issued by the Information Commissioner’s Office (ICO), and both lots of guidance are intended to help data processors negotiate the complexities of GDPR.
The main aim of the French Guide is to help data processors understand their responsibilities, and the technicalities of what they need to do. This includes:
- Ensuring that only necessary data is processed and that the processing is restricted to specific activities and management by certain people.
- Ensuring that data processors appreciate how to differentiate between their role as data processors and data controller activities that they undertake. For instance, data processing companies act as a processor for data controlled by others but they also have their own data to process, such as employee information. The records for both of these activities must be kept separate.
- Creating new contracts that recognise the provisions of GDPR, and come into force on 25 May 2018.
- Considering activities, such as sub-processing without permission, which may constitute a breach of the GDPR.
The French Guide is a very useful document for any data processors. It helps them to understand their responsibilities under GDPR. This is turn helps them to avoid potential penalties for non-compliance with the GDPR.