The Processor’s Perspective – Where Are We Now?

Much of the main target for the reason that introduction of the GDPR has been on compliance obligations impacting controllers, and understandably so – finally, they’re tasked with complying with nearly all of obligations below the GDPR, together with the info safety ideas and upholding the rights of information topics.
However, the GDPR additionally represented a seismic shift for organisations classed as knowledge processors who, previous to 25 May 2018 weren’t topic to any compliance obligations below UK knowledge safety legislation – their obligations till then had been restricted to contractual obligations imposed below agreements with knowledge controllers. A whole lot of processors due to this fact needed to make vital adjustments to their inner enterprise processes and their options to replicate these new legislative necessities.
We have carefully supported numerous knowledge processors in recent times (largely software program distributors and suppliers of know-how companies), in serving to them put together for and subsequently function below the GDPR. Whilst endeavor this work, we’ve got seen sure tendencies rising, by way of how processors have approached their compliance obligations, specifically with reference to their relationships with their controller prospects as dictated by Article 28 of the GDPR.
As a normal statement, round 2016-2018 we tended to see most processors undertake a reasonably cautious and conservative strategy to documenting how they might adjust to Article 28 – which is comprehensible provided that these obligations had been new territory for all involved. For occasion, processors placing ahead their most well-liked model of information processing clauses usually opted to simply set out obligations which carefully mirrored the necessities of Article 28, with solely minor caveats included.
Looking on the place in 2021, usually talking, we’re more and more seeing knowledge processors undertake a extra refined and assured strategy – adopting clauses which include the obligations imposed below Article 28, however with some fascinating nuances e.g. permitting themselves broader rights or barely caveating their obligations, and on the identical time, pushing again obligations onto the controller the place acceptable e.g. searching for warranties from the controller in regards to the accuracy of the info obtained and even an indemnity from the controller the place such knowledge has not been collected pretty and/or lawfully.
In phrases of what this development might be attributed to, in our view, arguably one of many fundamental influences has been the massive tech firms, for example AWS, Microsoft and Salesforce, who’ve undoubtedly formed the considering of different tech suppliers, by taking the lead in adopting a versatile and sturdy strategy to compliance, which displays the character of their enterprise fashions (as mirrored by the phrases put ahead of their respective knowledge processing addendums (that are publically out there on-line)).
Looking forward to potential additional adjustments that are prone to be welcomed processors, two specific areas of notice are abroad knowledge transfers and use of non-public knowledge for coaching algorithms, each of which have historically been considerably problematic for processors.
In phrases of abroad transfers, sometimes processors use the usual contractual clauses to impact such transfers in a GDPR compliant method, however the present UK variations of those are inflexible and restricted in scope, leaving processors with challenges concerning methods to get these signed by controllers. Earlier in 2021, the European Commission authorised a brand new set of SCC’s which embody variations for processors appearing as knowledge exporters, transferring to both a processor or controller abroad. Hopefully the ICO will even approve an identical set of UK particular SCCs in the end.
Furthermore, DCMS and the ICO are taking a look at a brand new exemption for knowledge transfers, referred to as the reverse switch exemption – whereby knowledge originating from a rustic not topic to an adequacy choice, transferred to a processor within the UK, might be freely transferred again to the nation of origin (at the moment it is a restricted switch and the SCC’s at the moment don’t allow such a switch again).
DCMS and the ICO are additionally taking a look at simplifying the legislation round use of non-public knowledge in AI instruments and for the needs of coaching algorithms, particularly for the needs of mitigating algorithmic bias. More steerage is predicted in the end on this problem however it’s encouraging to listen to that the regulator and authorities are sympathetic to the challenges confronted by tech suppliers merely making an attempt to enhance the standard and accuracy of their algorithms.
Overseas transfers and use of information for coaching algorithms are two areas of the legislation that are prone to proceed to evolve within the coming months and years – please look out for additional articles on our web site for updates on these areas.

Recommended For You