GDPR Compliance Obligations: The Relationship between Data Controllers and Third-Party Processors
The EU General Data Protection Regulation is a game-changer, particularly enforcement of obligations to safeguard privacy rights.
There are a number of areas where GDPR strengthens compliance obligations and imposes additional legal liabilities. For example, under GDPR data, subjects and/or regulators may now pursue direct remedies against data processors in the event of an infringement of obligations, whereas such remedies did not exist under the prior data privacy regulation.
Article 28 lays out the obligation requirements that govern the relationship between data controllers and processors. Such relationship must be pursuant to a written contract which, at a minimum ought to adhere the provisions of Article 5 relating to the principles of lawful processing and incorporate provisions that “sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”
There are additional obligations imposed on third party processors, including compliance with Articles 32 to 35 that relate to the requirement to implement appropriate technological and organizational measures, such as pseudonymization and encryption of personal data that safeguard the confidentiality, integrity and accessibility of personally identifiable information, assist data controllers in responding to inspections and audits, when requested by data processing authorities and notify controllers in the event of data breach.
Given the imposition of more onerous GDPR accountability provisions its incumbent on both data controllers and processors to ensure that their respective obligations are clearly spelled out in their respective Data Processing Agreements and that such provisions adhere to GDPR controller and processor obligations.
Failure to do so may result in impositions of sanctions and fines of up to 4% of revenue, or EUR 20,000,000 whichever is higher, for substantive violations such as failure to obtain affirmative data subject consent and of 2% of revenue for administrative infringements, such as failure to appoint a Data Processing Officer (DPO). In addition, Supervising Authorities have additional supervisory and corrective powers, including conducting audits, obtain access to premises subject to judicial authorization, issue warnings, and order compliance with GDPR obligations.
The task of reviewing existing Data Processing Agreements with third parties and identifying gaps relative to GDPR compliance obligations is not a trivial task; it's often a time consuming and labor-intensive activity. A typical Fortune 1000 company maintains, on average, 20,000 to 40,000 active contracts. Third-party processor agreements need to be reviewed in the context of GDPR compliance obligations, particularly compliance accountability, data transfer provisions, and data security requirements.
While information governance best practices and GDPR specific checklist are helpful tools in managing GDPR compliance obligations, an equally important consideration is the application of AI technologies that automate the tedious contract review process.
AI for contract analytics includes machine learning-based document understanding building blocks that extract meaning from documents much the same way as humans do:
- Recognition technologies such as OCR, ICR intelligently extract, classify and serve critical data from incoming images, email and document streams and integrated into corporate information systems
- Entity Extraction that automatically identifies names, organizations, locations, dates, quantities and monetary value from contracts;
- Natural Language Processing (NLP) that helps organizations infer meaning from agreements in context by analyzing contract clauses and their relationships within and between documents.
- Clustering that categorizes documents based on their similarity and relationship.
Applying these building blocks organizations can accelerate the GDPR compliance process while at the same time, increase the precision with which gaps between existing company privacy agreements and GDPR compliance requirements may be identified and remedied.
Such machine learning technologies are designed to identify and extract relevant provisions within agreements through a combination of pre-built clause libraries and learn-by-example techniques that continuously improve both recall and precision of agreements reviewed. These technologies can lift specific clauses from agreements and match them against corresponding GDPR provision, perform clause comparisons, and identify gaps. They also assist in mitigating risks, particularly the identification of appropriate cyber insurance protection and indemnification clauses in the event of a breach. This is a particularly important and potentially consequential requirement for organizations to undertake given GDPR’s expansive jurisdiction to impose onerous fines and its exercise of corrective powers.
About Andrew Pery
Andrew Pery is a marketing executive with over 25 years of experience in the high technology sector focusing on content management and business process automation. Currenly Andrew is CMO of Top Image Systems. Andrew holds a Masters of Law degree with Distinction from Northwestern University is a Certified Information Privacy Professional (CIPP/C) and a Certified Information Professional (CIP/AIIM).