If the GDPR were a sea, it would be vast, confusing and in some places its shallow rocky geography would threaten metaphorical ships with disaster. Guidance for any would-be captain is plentiful; just searching for the term ‘GDPR’ in Google yields hundreds of thousands of results. From the basics of learning your portside and starboard to the more practical of how to protect your vessel from the supervisory authority’s arsenal, much is covered. That is with the exception of working with third-parties and most importantly, cross-border processing, something which is a normal aspect of business today, irrespective of size. This darker corner of the regulatory map is less often explored and must begin with identifying who is wearing the hat of the data controller and the data processor.
Controller or a Processor?
The concepts of data controller and processor are not new under the GDPR and are inherited from the incumbent Data Protection Directive 1995 (this was to become the Data Protection Act 1998 in the UK). By definition, the two roles are described as:
- Data Controller – A natural person or organisation whom determines the purposes and means of processing personal data. Under the GDPR, a data controller not based in an EU or EEA member state must nominate and register a representative based in an EU or EEA member state.
- Data Processor – Conversely the processor is the natural person or organisation who conducts personal data processing on behalf of a data controller.
Much like the seas, the regulation is designed to be flexible and take the shape of its receptacle. It is possible for one organisation to be both controller and processor, have joint processors or in some rare cases be neither.
Cloud-Based Storage – Few organisations today are not taking advantage of the benefits of cloud storage. Its low costs and mobility have driven large profits for providers such as Google, AWS and Dropbox to name a few. In the case that cloud storage is being used to store personal data from the data subject, the cloud-based storage organisation occupies the role of data processor as storage is considered an act of processing. It does not determine the nature of the processing nor what is being stored, therefore the data controller is the consumer of the cloud service.
Third Party Payment Services – Small to medium sized retail organisations often outsource payment processing to third-parties in exchange for a processing fee, as a way to quickly implement card payment options and transfer the requirements of PCI-DSS compliance. In this case, the payment processing third-party absorbs both the role of the controller and the processor as it decides which personal data it requires from the data subject for a purpose of its determination and essentially completes the processing itself. In this case, the payment processing service must ensure they are either based in an EU or EEA member state, or have a representative in one.
The Good, the Bad and the Ugly
With the roles defined, it is much easier to understand when third-party processing and cross-border processing is taking place so that you may determine your obligations under the GDPR. Despite being a European regulation, the GDPR has been created to protect residents of the European Union and European Economic Area irrespective of where processing is being undertaken. It achieves this via peer-to-peer enforcement, essentially forcing the relationship between data controller and data processor to either be within jurisdiction of the GDPR; or by ensuring there are contracts between two parties, thus guaranteeing the same rights and freedoms afforded by the GDPR.
Intra-EU/EEA Cross-Border Processing
As a regulation conceived to harmonise data protection law across the member states, the GDPR has little to worry about when it comes to internal data transfers. With both data controller and data processor present in an EU or EEA member state, both would be obliged to implement the requirements of the GDPR regardless of contract. In such cases, it is recommended that a contract between the two is still maintained and that GDPR compliance be a condition for partnership as liability for a data breach may be shared.
Approved Nation/Territory Cross-Border Processing
The article 29 working party has published a list of countries and territories which it has concluded to have sufficient or equal data protection laws to the GDPR. As a consequence, third-party cross-border processing is permitted. The list of countries includes (correct at time of writing):
- Faroe Islands.
- Isle of Man
- New Zealand
- United States of America (Privacy Shield)
For the remaining data processors in nations and territories outside the EU, EEA or approved list, the rights and freedoms of data subjects must still be enforced, however at a contractual level between data controller and processor. More commonly known as model binding corporate rules, these contractual level rights ensure that data subjects should enjoy the same benefits regardless of location.
Beware the Seas
Third-party and cross-border processing is a way of life for most organisations attempting to embrace modernity and the GDPR has not been created to prevent that. However, organisations should beware. Whilst most of the commentary surrounding the regulation has been regarding the level of fines and the prevention of breaches, there is one simple fact which is being overlooked. The GDPR never penalises because of a breach, instead it aims its cannons at those who failed to take adequate steps to protect the rights and freedoms of data subjects.