Protecting our clients’ data has always been at the heart of our business and with the biggest shake up of European Data Protection laws in 30 years this topic is now hotter than ever.
The General Data Protection Regulation (GDPR) places increased responsibilities on all parties that process personal data, this includes EPS as a Payroll Bureau, and this means we now need to consider how GDPR will impact the contract between us and our clients.
As a Payroll Bureau, EPS process data on behalf of our clients. In data protection terms, the client is considered the data controller and Expert Payroll Services will be considered the data processor.
Current data protection legislation mostly addresses data controllers, giving them the responsibility to ensure compliance when entering into an agreement with a data processor. However, the GDPR approach is different. For the first time data processors have significant responsibilities and liabilities in their own right. Under the GDPR, data processors may be liable to damages or subject to fines and other penalties.
This means we have to be extra vigilant in ensuring that we have a water-tight contract with our clients which also means reviewing existing contracts and inserting a data protection addendum if required. Although this is a time consuming exercise it has given us an opportunity to review all clients contracts which has turned out to be a good house-keeping exercise. Being so much more exposed under GDPR, we want to make sure our obligations are precisely defined and agreed upon in the terms of service.
With this in mind let’s take a look at some of the new responsibilities being placed on data processors as well as what must be in the contract between a data controller and data processor.
- Any contracts in place on 25th May 2018 need to comply with the new GDPR requirements. This includes existing contracts that run past 25th May 2018.
- Under existing data protection laws contracts between a controller and a processor should be in writing, should require the data processor to only process data on the instructions of the data controller and to take appropriate measures to keep all personal data secure.
- Under GDPR the contract is required to clearly outline subject matter and duration of processing, type/category of personal data held and obligations and rights of the controller.
- The following mandatory contractual terms should also be included:
- The processor must only act on the written instruction of the controller .
- The processor must ensure that people processing the data are subject to a duty of confidence
- The processor must take appropriate measures to ensure the security of processing
- The processor must only engage a sub-processor with the prior consent of the data controller and a written contract
- The processor must assist the data controller in meeting its GDPR obligations in relation to security of processing, notifications of breaches and data protection impact assessments
- The contract must include end of contract provisions in order to ensure the continued security of the personal data. The processor must delete or return all personal data to the controller as requested at the end of the contract. An exemption applies where the data processor is required by law to retain data.
- The processor must submit to audits and inspections, provide the controller with whatever information it needs and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law.
- As a matter of good practice, contracts should State that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR and reflect any indemnity that has been agreed
- In the future, standard contract clauses may be provided by the European Commission or supervisory authorities, however no standard clauses have as yet been drafted.
In addition to the above, Payroll Bureaus should be aware of the statutory obligations that will be imposed upon them as data processors under the GDPR. These are:
- Not to engage a sub-processor without prior written authorisation of the client
- To ensure there is a contract with the sub-processor containing the same data protection obligations that are imposed on the lead processor
- Only to process data in accordance with the written instructions of the client
- Where a payroll bureau makes determinations about the processing of the data without the instruction of the controller, they will be considered to be a data controller
- Maintain records of data processing activities in accordance with the Regulations
- To implement appropriate security measures
- Inform clients of any data breaches without undue delay
- To co-operate with the supervisory authority
- Comply with restrictions regarding transfers of personal data outside of the Union
- To ensure certain minimum provisions are in contracts with controllers
To summarise, GDPR has imposed considerable demands on us as a Payroll Bureau but we can now be satisfied we have invested the resources required to provide the reassurances that our clients demand. Data protection and security has never been more important and the steps we have taken not only mean we can provide compliant services to our clients, but have resulted in the generation of new business from clients who recognise the importance of data confidentiality and security.
For more information please contact firstname.lastname@example.org or call us on 020 3802 1534…