Can data processors benefit from the GDPR? Posted by Mike on 16 June 2017

In just under a year, the toughest privacy law in European business history - the GDPR - will come into effect. Impacting the systems and practices that are core to effective and compliant data processing, it’s easy to feel your heart sink at the prospect of this forthcoming change in legislation. But, don’t overlook the opportunities that are also presented by this change.  By getting your GDPR house in order, you can drive competitive advantage.

Data Processor or Data Controller?  

If you are processing personal data, or sensitive personal data, under instruction from another organisation, then you’re considered a Data Processor.

Examples of some Data Processors (DPs) are:

Other examples include system integrators, bespoke software development houses, hosting providers, project management firms, resellers, consultancy houses and those who are providing services within a partnership model.  All these are examples of companies which handle data on behalf of another company – which is considered the Data Controller (DCs), as they determine why and how any personal data is held, and the purpose behind the processing of that data. Within the forthcoming GDPR, the term ‘processing’ is very broad and this will mean that core components and responsibilities of this new legislation will be extended to Data Processors.

B2C and B2B – any differences?

Current and upcoming data protection legislation focuses primarily on business-to-consumer industries, as the intent is to uphold the privacy rights of individuals and their relationship with organisations who process personal data on their behalf. Business-to-business focuses more on the commercial relationship between organisations. Where the difference becomes clearer, and highly relevant, is in the part of the legislation which covers consent for marketing. For B2C, under the GDPR, all consent must be explicit, meaning that a box must be ticked by the consumer to give consent. Pre-ticked boxes will be a thing of the past. For B2B, consent can be assumed, with the ability to opt-out later.

What will the impact of the GDPR be on Data Processors?

In the examples above, where DPs are handling large volumes of personal consumer and employee data, the GDPR will compel them to make a number of changes, such as to:

One critical change coming from the new legislation (due to come into effect in May 2018), is that Data Processors will now share liability with their Data Controllers, which introduces both a huge increase in commercial risk for DPs, but also shows where the opportunity lies for them to gain competitive edge over other suppliers.

Using GDPR compliance to drive business

In a world where companies have great choice over their suppliers, being able to demonstrate your commitment to best practice and data compliance is a real differentiator. To many companies, data is now worth more than oil. It’s a simple fact that well maintained data can be a company’s greatest asset but, considering recent headlines, on the flip side poorly maintained data represents a huge risk. This risk is about to increase, with non GPDR compliant companies being faced with fines in the range of €20 million or 4% of total worldwide annual turnover, meaning larger companies could potentially face billions of dollars in fines not to mention a severely damaged reputation.

Increasingly, we find that clients are looking to work with agents who are supporting their compliance endeavours, not being the weak link in the chain. As a Data Processor, if you can evidence good practice and contribute to your client company’s confidence in their ability to demonstrate compliance should the ICO come knocking, you will be more favourably considered than alternative providers that could put their clients at risk. 

What does best practice look like?  

Introducing best practice for data processing will require Data Processors to look at 4 main elements:

How can Sytorus help?

Sytorus provides lifecycle support, from assessing the current situation, identifying needs and - via our cloud-based SaaS product, Privacy Engine - managing the ongoing process of identifying and mitigating risk.  Our approach is designed to specifically drive a working framework to rapidly get a tech firm up to a level where they can achieve all the above in a practical and efficient manner.

Our risk assessment identifies detailed operational risks around the decision making and assumptions related to personal data. We then create a detailed implementation plan to help you drive these changes through your organisation. In addition, we provide you with the best online solution to manage this work, and demonstrate in detail to the regulator how you are risk mitigating and identifying new risks across all of your processes on an ongoing basis. Finally, we provide you with a knowledge transfer process to quickly allow you to manage this yourself and leverage this best practice.

Once you have these steps underway, it’s critical that you ensure your sales staff are able to position all of this good work as a USP to clients. It is our belief that Data Processors who can demonstrate competence, knowledge and commitment to the above approach will provide greater confidence to clients and thereby differentiate themselves from their competition.

If you’d like to speak to our specialists about where we’ve seen this in practice, or discuss our experience of rolling out effective solutions which address the GDPR’s privacy obligations and how we can help you, please contact us via phone 0207 936 9442 (UK), 353 1, or +353 (0)1 683 3314 (Ireland), or email info@sytorus.co.uk.