Data Processor Accountability
The General Data Protection Regulation (GDPR) places increased responsibilities on all those parties that process personal data. With this in mind, we consider payroll bureaus and how the GDPR will impact the contract between them and their clients.
Payroll bureaus process data on behalf of the client. In data protection terms, the client will be considered the data controller and the payroll bureau will be considered the data processor.
Current data protection legislation mostly addresses data controllers, giving them the responsibility to ensure compliance when entering into an agreement with a data processor. However, the GDPR approach is different. For the first time data processors have significant responsibilities and liabilities in their own right. Under the GDPR, data processors may be liable to damages or subject to fines and other penalties.
Considering this greatly increased accountability, payroll bureaus should be extra vigilant in ensuring that they have a water-tight contract with their client. Being so much more exposed under GDPR, payroll bureaus will want to make sure their obligations are precisely defined and agreed upon in the terms of service.
With this in mind we take a look at some of the new responsibilities being placed on data processors as well as what must be in the contract between a data controller and data processor.
Requirement for a written contract between data controller and data processor
Any contracts in place on 25th May 2018 will need to comply with the new GDPR requirements. This includes existing contracts that run past 25th May 2018.
Under existing data protection laws contracts between a controller and a processor; should be in writing, should require the data processor to only process data on the instructions of the data controller and to take appropriate measures to keep all personal data secure.
Contract requirements under GDPR
Under the GDPR the contract requirements are wider. The following will be mandatory terms to be included in contracts from 25th May 2018:
In the future, standard contract clauses may be provided by the European Commission or supervisory authorities, however no standard clauses have as yet been drafted.
Statutory obligations on data processors
In addition to the above, payroll bureaus should be aware of the statutory obligations that will be imposed upon them as data processors under the GDPR. These are:
In terms of GDPR readiness, a starting point for payroll bureaus will be to review their existing client contracts to ensure they contain the required mandatory clauses. If they do not, new contracts or a data protection addendum should be drafted and signed.
Need help? Support is available at 0345 9390019 or firstname.lastname@example.org.