Sharing data between businesses has become a legal minefield since the arrival of the General Data Protection Regulation last May.
The U.K. data protection regulator, The Information Commissioner’s Office, has sought to shed light on a remaining gray area: the contractual agreements a data controller should have with another independent data controller when sharing customer data. Last week, the regulator issued an update on its data-sharing practices to bring them in alignment with GDPR.
Until now, there has been far more attention on agreements between data processors and controllers. The ICO has advised companies that are classed as data controllers under GDPR, to pay more attention to agreements with other controllers. But many businesses remain confused over whether they should be classed as a controller or a processor or both.
WTF is it all about? Here’s a primer.
Remind me what a data controller is.
A data controller is a business that has complete control over who or what can access its customer data, and decides what purposes those partners can use its data for. It is also responsible for gaining consent to use its customers’ personal data, from the customer directly.
What about joint controllers?
This is when two businesses have decided to take joint control in their data controller responsibilities and, therefore, also share equal liability. You can also have two separate, independent data controllers who have decided to work together (but not as joint controllers), which is what the ICO is referring to in its update.
And a data processor?
This is a business that only executes services on behalf of a data controller but has no say whatsoever in how that data is used and for what purposes. It is more like a technology facilitator, according to legal experts. “A processor only acts on the controller’s instructions,” said Sarah Williamson, partner at Ashfords Solicitors and specialist in ad tech law. “There are some decisions a processor might make, like the technical and security measures in terms of how to store that data. But they don’t decide to collect names and addresses from certain customers.”
Can a business be both a data processor and a controller?
This is where it gets messy, but, yes, they can. Though there is still a lot of confusion in this area. Some companies believe they’re both when they’re not, and others believe they’re just a processor when in fact they’re also a controller, according to GDPR lawyers. Obvious data controllers: publishers and advertisers. Less obvious data controllers who are also data processors: agencies or ad tech vendors that also retain that data for their own purposes and claim a legal basis for doing so.
How do you define which you are?
This is a classic gray area. Being a data controller doesn’t just mean a business that has a direct relationship with consumers; that’s just one factor. Some legal teams within publishers determine whether ad tech vendor partners who claim they’re only processors, are data controllers by asking them if they plan to retain the customer data after a termination of contract with the publisher. Or if they plan to return it. If the answer is the former, then they’re a controller as well as a processor.
OK, so what is the ICO update on controller-to-controller agreements for?
So much emphasis last year was on updating contractual agreements between data processors and data controllers because there was a lot more information within GDPR about specific requirements needed within those as well as joint controller relationships. Also, the mistrust in the digital ad supply chain meant that publishers weren’t confident they had visibility of how their ad tech partners would use their data — if for purposes outside of that publisher’s expectations for instance. In doing so, that publisher would land in hot water (though so would the processor.)
The result was that very little thought was given to what was needed between data controllers and other data controllers.
If data controllers don’t do this, will they be in breach of GDPR?
No. But last week the ICO made it clear that it recommends that data controllers do so, in order to demonstrate their accountability. In essence, it’s guidance for good practice, which will go down well with the ICO should they be required to investigate any GDPR breaches. But take a second-party data deal, which is all the rage between publishers and advertisers. This is a project between two data controllers — so in theory, a GDPR data-sharing agreement should come in so both sides are covered.
Why is this important?
When the ICO announced its intention to fine British Airways and Marriott hundreds of millions of pounds, it eroded any widespread complacency among businesses. That as long as they could show they’d put some effort into compliance, even if it was minimal, they’d be safe because the ICO didn’t want to resort to heavy fines. The size of the BA and Marriott fines even took GDPR lawyers by surprise. It has taught everyone not to be complacent. “It’s important to get it right, as then you can have proper clauses that correctly allocate liability,” said Kathryn Wynn, legal director at Pinsent Masons international law firm. “Otherwise, if Armageddon happens, you won’t be able to enforce it.”