As of May 2018, the Data Protection Act (DPA) will be replaced by the General Data Protection Regulation (GDPR). Being a regulation rather than a directive, this means that it becomes part of the law and signals a required change in approach to how individuals' access and control the data that is held on them.
If you are one of our clients, Circle is one of your Data Processors and so as a result of GDPR our relationship and in particular, Circle's responsibilities will change. We aim to ensure that this change is undertaken ahead of time and in a way that makes things as easy as possible for you.
What is a Data Processor?
The ICO says:
Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
What changes under GDPR and what does that mean for our relationship?
The GDPR introduces direct obligations for data processors for the first time, whereas the current Directive only holds data controllers liable for data protection noncompliance. Processors will also now be subject to penalties and civil claims by data subjects for the first time.
Article 28 of the GDPR states:
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
In other words, we need to provide you with assurance that our security processes are up to scratch and that we will provide you especially with the technical measures needed to keep your data safe.
In practice, this means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:
- design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
- be clear about who in your organisation is responsible for ensuring information security;
- make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
- be ready to respond to any breach of security swiftly and effectively.
Some of this becomes our joint responsibility under GDPR, at least to the extent that as your Data Processor we potentially become liable for breaches. But it is your duty to ensure you work with Data Processors that are themselves compliant and have appropriate data protection measures in place.