In less than a year’s time, the General Data Protection Regulation will succeed the EU’s Data Protection Directive. But many organizations striving to align with the new framework’s requirements are not properly weighing the gravity of its nuanced “controller accommodation” provision, or are avoiding it out of distress.
Controller accommodation is the concept of processors accepting the burdens of the GDPR on behalf of controllers when systematic or procedural boundaries necessitate it. Generally, this is put into the context of employing security measures and facilitating requests from data subjects to exercise their rights. The condition should eliminate finger pointing between controllers and processors, something that vague privacy doctrines of the past have allowed, but it seems as though companies are having trouble determining and formally spelling out when business relationships and technology interplay demand accommodation.
Straight from the text
Serving as the guard rails for this topic, Article 28 of the GDPR’s “Controller and Processor” chapter is chiefly the section that outlines the responsibilities of controllers when engaging processors. Part 1 of the article sets the tone for the remaining parts to come, establishing that controllers interested in delegating to processors (i.e. service providers) functions of their product or service that involve personal data processing must only engage organizations willing and able to uphold whatever the inherited obligations of the GDPR would be. Subsequently, part 3 dictates what must be documented in contracts between controllers and processors, particularly including details like the nature of the relationship with the processor (what the processor’s service or product is), what the processor will actually be doing (as in, what is the functional interaction between the controller and processor) as part of their service or product, the types of personal data that will be handled by the processor, and what general or specific GDPR obligations will be imposed on the processor. That part segues into the following section of the article, which most explicitly drives the concept of controller accommodation:
“…(e) taking into account the nature of the processing, [a processor] assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;
(f) [a processor] assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
(g) at the choice of the controller, [a processor] deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data…”
There are some very actionable takeaways here. Simply put: controllers can only work with processors that will abide by the precepts of the GDPR, controllers and processors must agree on accommodation requisites, and this all must be formally articulated in writing.
Read more at iapp.org