1. EU General Data Protection
Regulation and Processors
Robert Bond, BA, CCEP

2. Tel:
2
Partner
Robert Bond, CCEP
"astounding” Legal 500, 2015
"absolutely exemplary" and the fact that his
knowledge of data protection law is
"astounding, and his application equally
impressive."
Chambers UK, 2016
Robert Bond has over 37 years' experience in advising national
and international clients on all of their technology, data
protection and cyber law requirements. He is a legal expert and
author in the fields of e-commerce, computer games, media
and publishing, data protection, information security and cyber
risks.
He is Secretary of the Board of SCCE, Chairman of the Big
Data Governance committee of Tech UK and a member of the
UN Data Privacy Advisory Group to the United Nations
He is an Ambassador for Privacy by Design
rtjbond@icloud.com

3.  Current EU law
 Overview of GDPR
 Controllers and processors
 Contractual needs
 Use of sub-processors
 Role of DPO
 Trans border data flows
 Due diligence
14 January 20173
Today’s topics
GDPR and Processors

4. Term Definition
Data Controller A person who (either along or jointly in common with other
persons) determines the purposes for which and the manner
in which any personal data are, or are to be, processed
Data Processor Any person who (other than an employee of the data
controller) who processes the data on behalf of the data
controller
Personal data Data which relate to a living individual who can be identified
from those data, or from those data and other information
which is in the possession of, or is likely to come into the
possession of, the data controller
Data Subject An individual who is the subject of personal data
14 January 20174
Key definitions
Quick recap

5. Term Definition
Sensitive personal
data
Racial or ethnic origin, Political opinions, Religious beliefs
Trade Union Membership, Physical or mental health
condition, Sexual life, Criminal offences
Processing Recording or holding the information or data or carrying out
any operation or set of operations on the information or data
DPA/Supervisory
Authority
Tasked with the protection of personal data and privacy and
take enforcement action against those who do not comply
with the data protection law
Privacy Impact
Assessment
A tool that you can use to identify and reduce the privacy
risks of your projects. A PIA can reduce the risks of harm to
individuals through the misuse of their personal information.
It can also help you to design more efficient and effective
processes for handling personal data (DPA)
14 January 20175
Key definitions
Quick recap

6. 8 Key
principles
of DP law
Personal
data
must…
Be processed fairly and lawfully
Only be processed for one or more specified and lawful purposes and not further
processed in a manner incompatible with those purposes
Be adequate, relevant and not excessive
Be Accurate and where necessary kept up-to-date
Not be processed for longer than is necessary
In accordance with data subjects’ rights
Be protected by appropriate technical and organisational security measures
Not be transferred outside of the EEA unless that country ensures an adequate level of
protection for personal data
14 January 20176
Key principles
Quick recap

7. General Data Protection Regulation
 Scope of regime:
 Wider definition of Personal Data
 All organisations
 Pan-European (no local legislation)
 Extra-territorial application
7

8. General Data Protection Regulation
• Documentation
• Breach notification –
Regulator & Data subject
Privacy Impact
Assessments
• Compulsory DPOs
• Certifications and seals
• International transfers
• One-stop shop regulation
• Cooperation and
consistency
• EU Data Protection Board
• Fines
• Sector exemptions – e.g.
Media & Health
• Definitions of Personal data
• Consent
• Children’s (Parental)
consent
• Information
• Data Subject rights &
access
• Right to be forgotten
• Data portability
• Controller and Processor
responsibilities
• Data protection by design
and default
• Designation for non-EU
controllers 8

9.  Applies to controllers and processors
established in EU
 Applies to any controller and processor
not located in the EU where the
processing activities are related to:
 The offering of goods or services to data
subjects in the EU, irrespective of whether
a payment is required; or
 The monitoring of their behaviour as far as
their behaviour takes place within the EU
14 January 20179
Applicability – New law
Preparing for GDPR

10.  Controllers or processors not established in
the EU but where Article 3(2) applies must
designate in writing a representative
 Representative must be established in a
member state where the data subjects whose
data are being processed by the controller or
processor are located (or where most of them
are located)
 All DP issues from data subjects / data
protection authority should be addressed to
the representative
 The designation of the representative does
not affect the responsibility and liability of the
controller or processor under the Regulation
14 January 201710
Representatives of controllers / processors not
Preparing for GDPR

11.  Controller must ensure processor will comply with
GDPR
 Must be an appropriate contract between controller
and processor
 Processor must have adequate information security
 Processor must not use sub-processors without consent
of the controller
 Processor must co-operate with the relevant DPA
 Processor must report data breaches to controller
without delay
 Processor may need to appoint a DPO
 Processor must keep records of processing activities
 Processor must comply with EU trans border transfer
rules
 Processor must help controller comply with data
subject rights
 Processors are directly liable for non-compliance
GDPR and processors - overview

12.  Documented instructions
 Confidentiality
 Information security
 Control of sub-processors
 Measures to help controller comply
with data subject rights
 Co-operation with controller and DPA
 Destruction or return of data at end of
contract
 Provide controller with evidence of
GDPR compliance
Contractual needs

13.  No use of sub-processors
without consent of controller
 Any third party processing
personal data for a processor
is a sub-processor
 Sub-processors must be
contractually controlled
 Controllers are likely to do
considerable due diligence
Use of sub-processors

14.  Notifications abolished
 Applies to both controllers and processors
 Mandatory requirement for:
 Public authorities
 Where the core activities…consist of
processing operations which, by virtue of
their nature, scope and / or their purposes,
require regular and systematic monitoring of
data subjects on a large scale; or
 Where the core activities…consist of
processing on a large scale of special
categories of data and data relating to
criminal offences
14 January 201714
Data Protection Officers / Notifications – New Law
DPO

15.  Possible to have one DPO for a
group of undertakings provided that
the DPO is ‘easily accessible from
each establishment’
 DPO can be a member of staff or on
a service contract
 Contact details of DPO must be
provided to the supervisory
authority
 DPO must have ‘expert knowledge
of data protection law and practices’
 Must be ‘independent’
 Must report to the ‘highest
management level’
14 January 201715
Data Protection Officers / Notifications – New Law
DPO

16. 14 January 201716
Tasks of DPO
Inform and advise the controller or processor and the employees who are processing personal
data of their obligations under the Regulation
Monitor compliance with the Regulation, including the assignment of responsibilities,
awareness-raising of staff involved in processing operations and the related audits
To provide advice where requested as regard data protection impact assessments
Co-operate with the relevant data protection authority (DPA)
To act as a contact point for the DPA , in particular in relation to prior consultations referred to
in Article 34

17.  Safe Harbor
 Privacy Shield
 European Commission approved
Model Contract Clauses
 Binding Corporate Rules
 Consent (although precarious to
rely on)
 Codes of Conduct (Article 38)
 Certifications / Seals (Article 39)
14 January 201717
Data Transfers – New Law
Trans border data flows

18. 14 January 201718
Data subjects rights – New Law
Data Subject Rights
Data
Subject
Rights
Information
(Art 14)
Access
(Art 15)
Rectification
(Art 16)
Erasure
(right to be
forgotten)
(Art 17)
Restriction of
processing
(Art 17a)
Data
portability
(Art 18)
Object
(Art 19)
Automated
decision
making /
profiling
(Art 20)

19.  Sanctions for non-compliance – two levels of
fines…
 Up to the greater of 2% annual worldwide
turnover of preceding financial year or EUR 10
million – for matters re internal record
keeping, data processor contracts, data
protection officers, data protection by design
and default
 Up to the greater of 4% annual worldwide
turnover of preceding financial year or EUR 20
million – for matters re breaching data
protection principles, conditions for consent,
data subjects’ rights and international data
transfers
14 January 201719
Sanctions for non-compliance – New Law
Enforcements and fines

20. Due diligence
GDPR compliance
 Data Protection audit
 Do they process personal data and sensitive data?
 What are their data flows?
 What are their information security policies & procedures?
 Have they had any breaches – notified or not?
 Have they been audited by a DPA?
 Who is their DPO?
 Document data processing activities
 Data processing map – intra group and third parties
 Do they claim any ownership of personal data
 Retention and destruction practices
 Use of sub-processors
 Review policies & procedures
 Data breach response policy and procedures
 Data sharing policy and procedures
 Vetting of staff
 Information security and cyber risk?
 Training
20

21. Processors should….
 Carry out a compliance assessment
 Rewrite their terms of business
 Audit their sub-processors
 Review their insurance
 Address data transfer solutions
 Consider if they are a
processor/and or a controller
 Assess their policies & procedures
 Decide if a DPO is necessary
 Anticipate their customers’ needs
 Put in place staff training

22. Questions?