Businesses will have to gear up for the new data protection laws

Much has been written about the new data protection law (GDPR) and how SMEs in the region will need to adapt and plan resource around it.
Phil ParkinsonPhil Parkinson
Phil Parkinson

We all share similar frustrations when it comes to junk mail, but the implications of mishandled data can be far more serious. With the May
2018 deadline looming, one element of the GDPR that is worth further exploration is
that of data processors, (third parties who may handle your company’s data with your consent).

Data processors are a separate legal entity and examples include payroll, marketing or IT companies that your business may send data to, or you
may even be one of these data processing businesses.

Hide Ad
Hide Ad

Under the current law (applicable until the GDPR takes effect on May 25), these secondary handlers of data are generally only subject to contractual obligations imposed on them by data controllers – the company who collected the data – and it is this company that retains the responsibility for any breach of the law.

The GDPR will change this. There will need to be specific written agreements between a company (the controller) and any secondary holders (processor) and it places direct obligations on the processor, such as the requirement to implement technical and organisational measures to secure data, to keep records and data breach notification requirements.

There are reasons for imposing these onerous requirements on data processors – for example, if a consumer passed their personal details to ‘Company X’, that data might be outsourced to various organisations down the chain who didn’t have accountability for how they handled it.

The GDPR will shine a light on
these careless data sharing practices.

Hide Ad
Hide Ad

So, businesses need to get ready. If you collect or manage data on another company’s behalf, you must carry out due diligence on the companies you use for your process- ing.

Likewise, if you are a processor, carry out that due diligence on the data controller. You will also need to enter into written contracts.

Spending the time to prepare now, will ensure your business is a trusted one with good practices and is better placed to attract new business.

Related topics: