AIIM - The Global Community of Information Professionals

GDPR Compliance Obligations: The relationship between Data Controllers and Third-Party Processors

Jul 24, 2018 12:16:51 PM by Andrew Pery

bigstock-European-country-flags-and-map-22592804

This is the 11th post in a series on privacy by Andrew Pery. You might also be interested in:

  1. The Re-Permissioning Dilemma Under GDPR
  2. Data Privacy and Open Data: Secondary Uses under GDPR
  3. Three Critical Steps for GDPR Compliance
  4. Mitigate Data Privacy and Security Risks with Machine Learning
  5. The Privacy and Security Dichotomy
  6. GDPR and Cross Border Data Flows between the EU and the US: Current State of the Law
  7. Privacy by Design: The Intersection of Law and Technology
  8. What Do the GDPR and new Privacy Laws Mean for U.S. Companies?  
  9. Balancing Privacy Rights with Social Utility in the Age of the Internet of Things.
  10. GDPR Compliance Starts with Data Discovery

The EU General Data Protection Regulation is a game changer, particularly enforcement of obligations to safeguard privacy rights.

There are a number of areas where GDPR strengthens compliance obligations and imposes additional legal liabilities.  For example, under GDPR data subjects and/or regulators may now pursue direct remedies against data processors in the event of infringement of obligations, whereas such remedies did not exist under the prior data privacy regulation.   

Article 28 lays out the obligation requirements that govern the relationship between data controllers and processors.   Such relationship must be pursuant to a written contract which, at a minimum ought to adhere the provisions of Article 5 relating to the principles of lawful processing and incorporate provisions that “sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”  There are additional obligations imposed on third party processors, including compliance with Articles 32 to 35 that relate to the requirement to implement appropriate technological and organizational measures, such as pseudonymization and encryption of personal data that safeguard the confidentiality, integrity and accessibility of personally identifiable information, assist data controllers in responding to inspections and audits, when requested by data processing authorities and notify controllers in the event of data breach. 

Given the imposition of more onerous GDPR accountability provisions its incumbent on both data controllers and processors to ensure that their respective obligations are clearly spelled out in their respective Data Processing Agreements and that such provisions adhere to GDPR controller and processor obligations.  Failure to do so may result in impositions of sanctions and fines of up to 4% of revenue, or EUR 20,000,000 whichever is higher, for substantive violations such as failure to obtain affirmative data subject consent and of 2% of revenue for administrative infringements, such as failure to appoint a Data Processing Officer (DPO).  In addition, Supervising Authorities have additional supervisory and corrective powers, including conducting audits, obtain access to premises subject to judicial authorization, issue warnings and order compliance with GDPR obligations.

The task of reviewing existing Data Processing Agreements with third parties and identifying gaps relative to GDPR compliance obligations is not a trivial task, is often a time consuming and labor-intensive activity.  A typical Fortune 1000 company maintains on average 20,000 to 40,000 active contracts.    Third party processor agreements need to be reviewed in the context of GDPR compliance obligations, particularly, compliance accountability, data transfer provisions and data security requirements. 

While information governance best practices and GDPR specific checklist are helpful tools in managing GDPR compliance obligations an equally important consideration is the application of AI technologies that automate the tedious contract review process.

AI for contract analytics includes machine learning based document understanding building blocks that extract meaning from documents much the same way as humans do:

  • Recognition technologies such as OCR, ICR intelligently extract, classify and serve critical data from incoming images, email and document streams and integrated into corporate information systems
  • Entity Extraction that automatically identifies names, organizations, locations, dates, quantities and monetary value from contracts;
  • Natural Language Processing (NLP) that helps organizations infer meaning from agreements in context by analyzing contract clauses and their relationships within and between documents.
  • Clustering that categorizes documents based on their similarity and relationship.

Applying these building blocks organizations can accelerate the GDPR compliance process while at the same time increase the precision with which gaps between existing company privacy agreements and GDPR compliance requirements may be identified and remedied. 

Such machine learning technologies are designed to identify and extract relevant provisions within agreements through a combination of pre-built clause libraries and learn-by-example techniques that continuously improve both recall and precision of agreements reviewed.   These technologies can lift specific clauses from agreements and match them against corresponding GDPR provision, perform clause comparisons and identify gaps.   They also assist in mitigating risks, particularly identification of appropriate cyber insurance protection and indemnification clauses in the event of a breach.  This is particularly important and potentially consequential requirement for organizations to undertake given GDPR’s expansive jurisdiction to impose onerous fines and its exercise of corrective powers. 

Want more information?

GDPR After the Deadline

About the author:  Andrew Pery is a marketing executive with over 25 years of experience in the high technology sector focusing on content management and business process automation. Andrew holds a Masters of Law degree with Distinction from Northwestern University is a Certified Information Privacy Professional (CIPP/C) and a Certified Information Professional (CIP/AIIM).

Topics: information governance, electronic records management, privacy, information security, gdpr

Like what you see? Subscribe to get updates delivered straight to your inbox.

Back to Blog

About AIIM

AIIM provides market research, expert advice, and skills development to an empowered community of leaders committed to information-driven innovation.

Click to Download Digitalizing Core Business Processes

Subscribe to Email Updates

Recent Posts