The introduction of the GDPR is imminent. The amount of vendor contracts that some organizations have to process in a relatively short period of time means that inaction is no longer an option. Possible consequences of inaction include hefty fines and fines, breaches of contract with suppliers and customers, a ban on data processing, not to mention significant reputational damage. The time has come to act. If the definitions in your current agreements are based on the definitions in the Directive, you may need to update these definitions to reflect the revisions implemented by the GDPR. For example, the GDPR revises the definition of “personal data” to include identifiers and online location data, as well as a reference to genetic factors, and updates the definition of “sensitive personal data” (or “special category personal data”) to include genetic data, biometric data and data relating to sexual orientation. The GDPR amends or adds other definitions, including the definition of “consent” and the notion of “genetic data”. In addition, several U.S. data breach notification laws define a security breach in such a way that it carries a risk of consideration of damage. For example, Arizona`s Privacy Violations Act defines “breach of security” as “the unauthorized acquisition and access to unencrypted or unprocessed computerized data that seriously endangers the security or confidentiality of personal data.” that cause a significant economic loss to a person, or are reasonably likely to cause them. While the GDPR examines the risk of damage with regard to the obligation for the controller to inform the supervisory authority and individuals, it does not take into account the risk of damage to subcontractors. On the contrary, a processor must immediately inform the controller after learning of a personal data protection breach.
However, given that this is new legislation that has no legal precedents from which non-related laws, but others, may work, you may still have a few concerns and areas to focus on. Controllers are responsible for compliance with the processing rules of the GDPR and are responsible even when another organization or data processor is responsible for carrying out these activities. That`s not to say that processors are out of harm`s way. .