The Processor’s Perspective – Where Are We Now?

The Processor’s Perspective – Where Are We Now?'s Tags

Tags related to this article

The Processor’s Perspective – Where Are We Now?

Published 17 diciembre 2021

Much of the focus since the introduction of the GDPR has been on compliance obligations impacting controllers, and understandably so – ultimately, they are tasked with complying with the majority of obligations under the GDPR, including the data protection principles and upholding the rights of data subjects.

However, the GDPR also represented a seismic shift for organisations classed as data processors who, prior to 25 May 2018 were not subject to any compliance obligations under UK data protection law – their responsibilities until then were limited to contractual obligations imposed under agreements with data controllers.  A lot of processors therefore had to make significant changes to their internal business processes and their solutions to reflect these new legislative requirements.

We have closely supported a large number of data processors in recent years (mostly software vendors and suppliers of technology services), in helping them prepare for and subsequently operate under the GDPR.  Whilst undertaking this work, we have noticed certain trends emerging, in terms of how processors have approached their compliance obligations, in particular with regards to their relationships with their controller customers as dictated by Article 28 of the GDPR. 

As a general observation, around 2016-2018 we tended to see most processors adopt a fairly cautious and conservative approach to documenting how they would comply with Article 28 – which is understandable given that these obligations were new territory for all concerned.  For instance, processors putting forward their preferred version of data processing clauses generally opted to just set out obligations which closely reflected the requirements of Article 28, with only minor caveats included. 

Looking at the position in 2021, generally speaking, we are increasingly seeing data processors adopt a more sophisticated and confident approach – adopting clauses which contain the obligations imposed under Article 28, but with some interesting nuances e.g. allowing themselves broader rights or slightly caveating their obligations, and at the same time, pushing back obligations onto the controller where appropriate e.g. seeking warranties from the controller about the accuracy of the data received and even an indemnity from the controller where such data has not been collected fairly and/or lawfully.

In terms of what this trend can be attributed to, in our view, arguably one of the main influences has been the big tech companies, for instance AWS, Microsoft and Salesforce, who have undoubtedly shaped the thinking of other tech suppliers, by taking the lead in adopting a flexible and robust approach to compliance, which reflects the nature of their business models (as reflected by the terms put forward in their respective data processing addendums (which are publically available online)). 

Looking ahead to potential further changes which are likely to be welcomed processors, two particular areas of note are overseas data transfers and use of personal data for training algorithms, both of which have traditionally been somewhat problematic for processors.

In terms of overseas transfers, typically processors use the standard contractual clauses to effect such transfers in a GDPR compliant manner, but the current UK versions of these are rigid and limited in scope, leaving processors with challenges regarding how to get these signed by controllers.  Earlier in 2021, the European Commission approved a new set of SCC’s which include versions for processors acting as data exporters, transferring to either a processor or controller overseas. Hopefully the ICO will also approve a similar set of UK specific SCCs in due course. 

Furthermore, DCMS and the ICO are looking at a new exemption for data transfers, known as the reverse transfer exemption – whereby data originating from a country not subject to an adequacy decision, transferred to a processor in the UK, can be freely transferred back to the country of origin (currently this is a restricted transfer and the SCC’s currently do not permit such a transfer back).  

DCMS and the ICO are also looking at simplifying the law around use of personal data in AI tools and for the purposes of training algorithms, especially for the purposes of mitigating algorithmic bias.  More guidance is expected in due course on this issue but it is encouraging to hear that the regulator and government are sympathetic to the challenges faced by tech suppliers simply trying to improve the quality and accuracy of their algorithms.

Overseas transfers and use of data for training algorithms are two areas of the law which are likely to continue to evolve in the coming months and years – please look out for further articles on our website for updates on these areas.

Authors

Christopher Air

Christopher Air

Manchester

+44 (0)161 934 3167

< Back to articles