Processors - the new obligations
Although the Island’s current Act will still not apply to data processors, the GDPR will apply directly to some processors in certain respects. Processors will be subject to greater regulatory and judicial exposure.
The GDPR defines “processors” as “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller”.
Which Island processors will it affect?
An Island processor must comply with certain aspects of the GDPR is it undertakes processing on behalf of ANY data controller (irrespective of the data controllers jurisdiction) and that processing is
- The offering of goods and services, irrespective of whether a payment of the data subject is required, to data subjects in the Union; or
- The monitoring of their behaviour as far as their behaviour takes place within the European Union”
Such processors will need to acquire an understanding of the basics of what “data protection” means and how it works and what elements of the GDPR they must comply with.
Processors should note in particular:
- Security obligations
- Relationship with controllers more strictly regulated
- Applicability of fines and sanctions
- Powers of the Supervisory Authority
- Rules on data transfers and disclosures
- Requirement for records of activity to demonstrate compliance
- Requirement for a data protection officer
- Provide assistance to controllers in respect of data protection impact assessments and prior authorisation.