Posted by Phil Ayton
14 May 2018

The General Data Protection Regulation (GDPR) comes into effect in a matter of days, and with it new obligations for data controllers and processors. As most law firms run on-site systems, it is important to understand who is responsible for the processing and where technology vendors fit into the equation.

One of the main aims of the new legislation is to ensure that owners of data, the data controllers, are responsible for their data.  The new act requires them to ensure that anyone processing their data does so according to the new rules and cannot absolve responsibility simply because someone else processes for them.

Who is a data controller?

The data controller is the one who owns the data.  They made the decision to collect personal data in the first place. They need to be clear on which items of personal data they are collecting, the purpose for which the data are to be used, from which individuals they collect data, what efforts should be made to secure the data and how long they need to retain the captured data.  They need to articulate these to the data processor.

Who is a data processor?

A data processor, on the other hand, is the person, public authority, agency or other body that processes the data on behalf of the controller. The act of ‘processing’ could be as simple as storing data on a third party’s server or could include data retrieval or erasure.

When is there NOT a data processor?

In almost all cases, law firms are clearly the data controller. If the system is an in-house system run by in-house staff, there may be no data processor, which means the law firm must manage the obligations laid down by the GDPR. Many firms make the assumption that if a technology provider uses data to perform a task or service, that it must be a data processor. However, this often won’t be the case. The definition of a vendor as a data processor depends on their role and how much control they possess over the personal data.

Why is it important to determine whether my vendor is a data processor?

One of the key elements in the GDPR is accountability. Firms are responsible for, and must be able to demonstrate compliance, with GDPR.  However, compliance means different things for the data controller and the data processor. So, it’s imperative that firms are able to determine their own role, and the role of their vendors, to fully understand their legal obligations. For example, firms may believe their GDPR obligations are covered if a vendor signs a DPA, when in fact, they might be exposing themselves to crippling fines.

How do I determine if my vendor is a data processor?

To determine whether your technology vendor is a data processor, consider where the data is stored and maintained. Cloud-based providers are considered data processors, as they capture and store data on their own servers or third-party servers. However, if your firm uses software that is hosted and maintained on-premise, it’s most likely that your firm is also responsible for the processing of the data.

Under the GDPR, every data processing activity must have a data controller. However, a data processor isn’t necessarily required. In the case of on-premise software, law firms assume the sole responsibility of the data and whilst they are a data controller, they must assume the responsibilities of the data processor, also. Even though the software may be the means by which your firm captures, organises and stores personal information, the data is ultimately managed and maintained by the firm, and the firm exercises complete control over the processing and protection of the data.

If you use Microsoft Word to manipulate personal data, is Microsoft Corp. your data processor?  What about using Microsoft SQL Server, which both stores and performs automatic calculations on your in-house data. In this case, is Microsoft a data processor for you?  As Microsoft themselves are not creating, manipulating or storing the data, probably not. The same goes for any other vendor.

If a vendor offers remote support and regularly accesses your systems, are they a data processor?  If they manipulate data contain personal information then yes, but if they fix bugs, which may involve creating and delete test data (not real data), then they are not processing.  Most vendors will sign Data Processing Agreements to help their clients become GDPR compliant, but this is not the same as implementing measures to protect the data so won’t help if the EU comes calling.

Rather than getting vendors to sign DPAs, firms should be looking to ask them what facilities their software offers to help them reach a higher level of compliance.  The GDPR demands that firms document steps take to ensure compliance and completing a DPA is just the first of many steps firms need to take to reach the required level of compliance.