The CNIL Issues New Guidance For Processors

In a significant change from the Directive, the GDPR imposes direct legal obligations not only to controllers, but also to processors. The CNIL recently published a guide designed to help processors identify their new obligations and help them prepare for 25 May 2018 when the obligations will come into effect.

Processor Obligations
The main processor obligations highlighted in the guide include:

Where to Start?
To help processors prepare for the GDPR, the CNIL recommends to:

Review of Existing Contracts & Model Clauses
The GDPR strictly dictates the content of a data processing agreement (see Article 28.) The CNIL warns that all existing contracts will have to be compliant with these new rules as of 25 May 2018. The CNIL therefore recommends processors to start, today, reviewing and updating their existing contracts. The CNIL also suggests implementing these changes by way of separate amendments expressly stating that they will only become effective on 25 May 2018.

Under Article 28.8 of the GDPR, supervisory authorities can establish standard contractual clauses for processor agreements that controllers and processors will be able to use. The CNIL has not yet created them, but already provides in its guidance a list of model clauses that processors and controllers can use while waiting for the adoption of these standard contractual clauses. The CNIL insists that these model clauses do not constitute a contract by themselves and will need to be integrated into a broader agreement.

The guidance is available here (in French only.)

How OneTrust Helps
OneTrust offers a large range of tools and modules that help organisations manage their privacy programmes. For organisations acting as processors, the OneTrust Data Mapping module can help them maintain separate records for both their own processing activities and those carried out on behalf of their clients. Our other tools and questionnaires can also help processors make sure they adequately implement Privacy by Design and by Default principles into their products and services and adopt adequate security measures. In addition, OneTrust’s Vendor Risk Management and Incident & Breach Management tools facilitate communication between controllers and processors like never before, and help them share information in a clear, easy, and effective manner.