For controllers of data, GDPR gives clearer guidance and is more explicit and defined. The new piece that is causing sleepless nights and headaches in many boardrooms is around processor duties, explains Carsten. “These responsibilities were previously covered by contractual agreements between commercial parties, and were not subject to government statute. It presents a new liability.”
Now processors who deal indirectly with other parties’ customer- and personal data are mandated to implement “appropriate technology and organisational measures” to protect these data. The main source of confusion is not about any technical provision of security, but the huge difference to the way that commercial- and operational risk must now be calculated, says Carsten.
“The big questions are: who is paying for this? And who is deciding what is deemed to be “appropriate”? Previously, the client determined what security and protection was appropriate or necessary, leaving the supplier to price it up and implement. Now the GDPR has introduced a statutory obligation on suppliers to maintain privacy of third party customer data, there is a tussle about who should pay for this.
Cyber security comes with a big price tag and so there are some serious negotiations going on in boardrooms about who foots this very substantial bill. “A flow-down of obligations along the supply chain is replacing contractual requirements. “Suppliers are suddenly finding themselves directly subject to GDPR, prompting huge discussion. At present there is no guidance from the EU – it is silent in the matter”.
The GDPR and its amplified obligations has therefore prompted discussion along the entire supply chain, says Carsten, and this could have a silver lining. Paradoxically, while the GDPR ushers in more explicit, statutory obligations, Weinholdt believes it will rely on greater trust and cooperation between players to secure citizens’ personal data.
“More than before, globalisation relies on supply chains that are flexible and quicker to respond – businesses have to turn on a sixpence, and swap components in and out fast. GDPR places a competing pressure on companies to make data protection measures transparent and introduces new controls, including the obligation to provide evidence of due diligence on demand.”
To cope with these competing demands, Carsten believes the contractual piece of the protection puzzle will become more detailed and granular. Companies who are processors under the GDPR have to find ways to manage suppliers, customers and provision for their data protection more effectively, he says. “We will all introduce new systems and tools, to manage contracts faster because of GDPR and other drivers.”
Author: Helen Beckett
Helen Beckett is the Community Manager of the Business Value Exchange. She has been a writer and editor for over 20 years and takes a particular interest in the challenges facing the CIO in today’s business climate.