Spotlight Shines on Data Processors in New EU Privacy Regime

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

The European Union’s new privacy regime will spotlight cloud providers, data analysts, information technology services, and other companies that process data on behalf of others, privacy professionals told Bloomberg BNA.

Meeting the new compliance obligations of the EU General Data Protection Regulation (GDPR), which takes effect May 25, 2018, is a challenge to both the data controller companies that determine how personal information is collected and used, and the data processing and storage companies that carry out those functions on the controllers’ behalf.

One critical component of ensuring GDPR compliance is establishing clear privacy and data security responsibilities in contracts between data controllers and data processors.

The GDPR will replace privacy laws that now focus primarily on data controllers and expand privacy compliance obligations to include data processors. Data controllers will also face stronger obligations to ensure that data-processing companies under contract are protecting privacy.

Companies that offer data storage solutions in Europe, such as Walldorf, Germany-based SAP SE and U.S.-based Inc.'s Amazon Web Services, are among the data processors that would likely face new privacy compliance obligations under the GDPR. Amazon, which has data centers in Germany, Ireland, and the U.K., is the fourth largest technology company in the world with a $455.8 billion market capitalization, Bloomberg data show. SAP, which has data centers in France, Germany, the Netherlands, and Russia, is the third largest enterprise software company in the world with a $126.4 billion market capitalization, Bloomberg data show.

The new obligations facing data processors include providing notice of data breaches, objecting if a data controller orders processing not authorized by the GDPR, and keeping extensive records on decisions about whether particular processing of information complies with the new EU privacy regime.

“For most organizations, the accountability is a sea change,” Mary J. Hildebrand, chair of the privacy and information security practice at Lowenstein Sandler LLP in Roseland, N.J., told Bloomberg BNA.

Data processors must also consider changes to their risk-assessment decisions, as the GDPR dramatically raises potential fines to as much as 20 million euros ($22.4 million) or up to 4 percent of a company’s worldwide revenue, whichever is higher.

Data Processor Compliance Awareness Low

Despite the significant new privacy obligations and the potential for large fines, it isn’t clear whether data processors are ready for the GDPR. Privacy and security professionals told Bloomberg BNA that at least half of companies considered data processors may not be aware of the new requirements.

Jan Henderyckx, managing partner of Belgian data consulting company Inpuls, told Bloomberg BNA that as a “rough estimate,” 50 percent of EU data processors are “really aware and working on things.” However, awareness is “much, much lower” outside the EU among companies that process data coming from the EU, he said.

Bo Holland, CEO of AllClear ID, which advises companies on data breach response, said the proportion of informed companies is much lower, at 20 percent. “The word is starting to get out, but the awareness level is pretty low,” Holland told Bloomberg BNA.

Watertight Contracts, Clear Expectations

The GDPR will require data controllers to take steps to ensure the privacy and security of personal data sent downstream to companies they contract with to carry out data-processing functions. Such contracts should be watertight so data controllers minimize their own exposure, the privacy pros said.

“These contracts are going to be put into place in the next year,” a process that is likely to involve “a rather steep learning curve” for some processors, Hildebrand said.

Contracts will need to cover arrangements in case of data breaches, the pros said. Under the GDPR, processors will be required to notify the relevant data controllers of breaches “without undue delay”—and failure to do so could expose processors to claims from data subjects and data controllers.

“It’s a dramatic shift,” and processors could be particularly in the line of fire in case of a data breach because they “may have thousands of controllers who are clients,” Holland said.

Processors and controllers are “starting to negotiate on who is going to be responsible for what” should a data breach happen, Holland added. “It’s very important that each party looks at these new obligations so that the expectations are clear.”

GDPR Compliance as Value Proposition

The new compliance obligations may shake up the data-processing market, with controllers choosing their processors more carefully, the privacy pros said.

Data controllers may hesitate to do business with data processors who don’t have “adequate answers” on GDPR compliance, Henderyckx said. And some processors are seeing compliance “as a value proposition towards their customers,” he said.

“The ones that will survive are the ones that make the mind shift,” Henderyckx said.

Hazel Grant, partner and head of privacy, security and information practice at Fieldfisher LLP in London, told Bloomberg BNA that, for data processors, the “evaluation of the risk of taking on a contract changes hugely.”

Under the current EU privacy regime, a controller is required to “carry out due diligence on a processor, but in practice hardly anybody did that,” Grant said. That will change under the GDPR with potential market-wide implications, she said.

Grant also predicted more data-protection litigation, with disputes between controllers and processors and the possibility of actions on behalf of groups of individuals filed by consumer organizations on top of heightened enforcement by privacy regulators.

Detlev Gabel, a partner at White & Case LLP in Frankfurt and head of the firm’s data, privacy and cybersecurity practice, told Bloomberg BNA that EU privacy regulators will likely pursue enforcement actions under the new data-processor obligations when they take effect in order to set an example and to educate processors and controllers about the new GDPR obligations.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security