In detail

Is this a big change?

The basic concept of controllers and processors under the GDPR is not new. It’s very similar to the previous concept of data controllers and data processors under the Data Protection Act 1998 (“the 1998 Act”).

However, one significant change is that the GDPR now imposes some obligations directly on processors, as well as on controllers.

What’s new for processors?

The GDPR imposes obligations directly on processors. This is a significant change from the position under the 1998 Act. For the first time, processors have specific obligations towards individuals and are directly subject to regulation by the ICO. For example, processors are required to:

  • maintain a record of all categories of processing activities they carry out a controller’s behalf;
  • keep personal data secure; and
  • assist the controller in complying with certain obligations (such as security, notifications of personal data breaches, and data protection impact assessments).

The GDPR also sets out minimum terms that a controller must impose on its processor by contract.

For the first time, processors are directly subject to the prohibition on transferring personal data outside the EEA.

What else is new?

The GDPR also includes new provisions dealing specifically with joint controllers. This is where two or more controllers jointly determine the purposes and means of processing. Joint controllers must enter into a transparent arrangement that sets out their roles and responsibilities regarding compliance with the GDPR, and in particular how they will comply with the rights of individuals.