Data Processors and the Definition of Personal Data Under the GDPR
You can download a full copy of the slides from this webinar.
Full transcript available below:
Good afternoon. Thank you for joining the webinar today. We're going to give everyone just a couple more minutes to join and then we'll start the webinar. Good afternoon and thank you for joining today's webinar Prepare your firm for GDPR hosted by me Bethany Sirven of MyComplianceOffice with feature presenter Emily Mahoney.
Data processors may be potentially the most or may be considered by some to be the most boring topic, but actually really critical to most companies under the GDPR. Their significant change, it's not as sexy as a topic to discuss in the media so there may not have been as much attention paid to it, but it's really critical for any company that engages, that outsources. Basically, any company, every company.
You must keep in mind the data processors and your engagements with data processors. First, the obligations for the agreements with data processes have significantly expanded. The GDPR requires a contract with a data processor to include the subject matter and duration of the processing, the nature and the purposes of the processing. |
In the actual agreement, you have to be disclosing this. The type of the personal data and the categories of data subjects. Some contracts or agreements best practice would already have been doing this, but this is now a requirement under the GDPR. Additional obligatory pervasions include that the processor itself must make information available to the controller to demonstrate compliance, contribute to audits and inspections and assist the controller regarding access request, data protection impact assessments and security breaches. |
As just an example, if you outsource payroll, if you engage another entity to do data crunching if you're doing some marketing survey or marketing analysis, if you outsource your bookkeeping and accounting, all of these agreements need to be reviewed to ensure that they comply with the GDPR requirements. |
There also will need to be review of how you're allocating liability because now under the GDPR data processors will actually themselves be subject to liability under the GDPR. They are subject to fines and they also can be sued by a data subject. They're going to be more participatory in the ball game in terms of negotiations and who's going to be liable for what in the event of a breach. |
While it's not the most interesting or sexiest topic again, this is a real area to take note of and to be looking at those agreements with your data processors and if you don't have them to start drafting them. Okay next slide. This is another question that I'd think that we're not going to be able to do. |
The correct definition of personal data under the GDPR. I find that there is confused understanding of what personal data is. That's why I wanted to provide this question as an option and I had different definitions of personal data depending upon where the different jurisdictions. There's one from California, Singapore and then one from the GDPR. I'll read the GDPR's definition. |
Personal data means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified either directly or indirectly in particular by reference to an identifier such a name, an ID number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. |
Understanding that basically we know based on case law and then with this definition, personal data can extend to include online identifiers such as IP addresses and cookies. It's quite a broad definition of personal data. This is not consistent across other jurisdictions outside the EU when we work with American clients for example, there is a lot of disconnect sometimes because the understanding of personal data there would be more about, okay first and last name, email address and it's not ... It doesn't get as granular of a definition of personal data but here in the EU, it can get down to the ... of an IP address. |
That should just take it home for you to how broad the definition of personal data is and really that you are likely to be processing personal data. As a side note, a lot of clients sometimes say, "Well, we're processing a personal data, but we use encryption, SHA-256, but that doesn't mean just because of the level of encryption you're using that you still are not subject to the GDPR as long as you're processing personal data, you are subject to the GDPR regardless of the type of security measures you're taking. It's great to be using great encryption, but to keep in mind you're still subject to the GDPR and it's still personal data even if it's protected. |
This webinar was co-hosted with Mason Hayes & Curran www.mhc.ie |