Unpacking the Critical Article 28
On May 25, 2018 the EU will have the right to fine and regulate foreign “processors” of EU subject data, including hundreds of U.S. companies. This article will address ways to protect your organization financially and remain compliant.
Get ready: The EU’s General Data Protection Regulation (GDPR) is set to take effect in under four months (May 25, 2018 to be exact). Under the new law, the EU can directly fine and regulate foreign “processors” of EU subject data. Making matters more complicated, the GDPR’s definition of “processor” is very broad and includes most U.S. companies that receive data, from any source, that personally identifies European Union subjects.
Generally speaking, a “processor” is an entity that collects, records, organizes, structures, stores, uses, transmits or even erases or destroys personal data at the request of a data “controller.” The controller is the original “owner” or “receiver” of the personal data and essentially acts as the boss, instructing the processor on what the processor should do with the data. Analogizing this to U.S. law, the controller is the principal, and the processor is the agent; or, for those acquainted with HIPAA, the controller acts much like the “covered entity” (in that the controller is responsible for the data in the first instance), and the processor acts much like the “business associate,” performing discrete functions with the data pursuant to contract.
The extraterritorial application of the GDPR, and the potential for fines in excess of €20 million in some instances, have made GDPR compliance one of the top concerns for privacy and data security counsel around the globe. Unlike prior iterations of EU privacy law, this law reaches U.S. companies directly.
The law is structured in Articles, which comprise actual operative language of the Regulation. The Articles are preceded by Recitals, which, while not having the force of law, assist the reader in understanding the context and goals of the Articles. Think of Recitals as a form of well-organized legislative history; it’s not law by itself, but it helps us to understand and interpret the law.
While a number of Articles apply to U.S.-based data processors, one of the most important is Article 28, entitled “processor,” which is devoted entirely to regulation of processing activities. Article 28 sets out the key responsibilities of the processor and identifies core, nonnegotiable terms that must be included in any agreement between a controller and a processor. Understanding this Article is vital because the first introduction most U.S.-based companies will have to the GDPR will be in the form of a contract from an EU entity (or addenda to an existing contract) sent pursuant to Article 28.
Below is a summary of Article 28 sections critical to GDPR compliance, a few suggestions as to actions that can be taken to prepare for compliance and a summary of why it matters:
Section 1
This section requires controllers to select only those processors that can provide sufficient guarantees that the processor will comply with the GDPR and implement “appropriate technical and organisational measures” to protect the data.
Suggestions: Prepare for GDPR now by reviewing the obligations imposed on processors and instituting technical measures (see e.g., Article 32 (security of processing)) and policies so that your organization is positioned to provide the required guarantees).
Why It Matters: Controllers are legally obligated to select processors that are prepared for the GDPR. This confers a competitive advantage on those U.S. firms that have attacked this issue proactively.
Section 2
This section requires written approval by the controller of any subprocessors used by the processor. One example of a subprocessor would be a vendor that does billing using EU-subject personal information. The actions below will allow processors to achieve “downstream” compliance by providing notice to the Processors’ vendors of their obligation to comply with the GDPR.
Suggestions:
- Inventory current subprocessor vendors. Discuss forthcoming GDPR requirements with these vendors — they may not have the same direct EU customers as your organization.
- Negotiate language in processing agreements whereby the controller approves a list of subprocessors utilized by the processor.
- Consider developing a form subprocessor agreement that may be easily modified to fit particular use cases.
Why It Matters: Remember, since subprocessors may not have a contract with a controller, it is the processor’s obligation to ensure GDPR compliance by subprocessors.
Section 3
This section requires a written contract between the controller and the processor and sets out a number of required terms for such agreements. These terms include, for example, a stipulation that the processor will only act on the instructions of the controller, that employees and contractors employed by the processor will “commit themselves to confidentiality” and that the processor will assist the controller in ensuring compliance with certain other Articles of the GDPR, among other things.
Suggestions: Review these required terms in detail with counsel and ensure that systems are in place to meet the obligations imposed. These terms will be considered nonnegotiable by the controller.
Why It Matters: These terms will be found in every processor agreement, and certain of the terms will require the processor to install policies or technical or organization measures to achieve compliance. Since these terms are essentially universal and nonnegotiable, processors should prepare for compliance now.
Section 4
This section essentially requires the processor to ensure that all subprocessors are subject to the same “data protection obligations” as the processor. It also states explicitly that the original processor remains fully liable to the controller “for the performance of that other processor’s obligations.”
Suggestions:
- Closely evaluate and audit subprocessors for their ability to comply with the GDPR and the requirements set forth in the original agreement between the controller and the processor.
- Consider indemnification and other contractual provisions to mitigate liability in the event of subprocessor noncompliance since the GDPR likely prohibits shifting of liability from the processor to the subprocessor in certain respects.
Why It Matters: As noted above, processors are, generally speaking, responsible for their subprocessors’ errors. Thus, audits and other contractual protections should be strongly considered to minimize risk.
Section 5
This section allows controllers to rely on approved codes of conduct and certification mechanisms to establish GDPR compliance by processors. This is similar to the current market’s willingness to rely on SOC-2 audit letters or ISO27001 accreditations, except such reliance is specifically authorized by law.
Suggestions:
- This section likely will operate as a diligence shortcut for controllers in the sense that adherence to such pre-approved accreditations will automatically qualify the processor as a trusted vendor.
- Consequently, qualification/certification by a processor under such a standard will be viewed as a serious advantage worth pursuing by some U.S. firms.
Why It Matters: Getting qualified or certified as a trusted data processor will allow U.S.-based entities to market themselves as GDPR-ready to European customers.
Conclusion
Compliance with the GDPR clearly will evolve after it takes effect as regulators begin scrutinizing relationships and data subjects begin exercising rights. American data processors will need to be agile in the face of changing requirements and interpretations, but this does not alleviate the need or lessen the value of basic preparation now. Preparation such as that outlined above, while challenging, potentially gives U.S.-based processors a decisive competitive advantage in Europe over noncompliant peers.
