THE INTERNAL DATA PROCESSOR AND THE GDPR

By | Tuesday July 19th, 2016

One of the faults of the current legislation, that has been maintained in GDPR, is the use of the same term for both the internal data processors in an organization (usually managers or officials) or external ones (generally outsourcers companies or service providers). Leaving out the current consequences of these definitions we take into account the innovative features of GDPR. This last attributes to the Data Processor a real co-responsibility with the Owner, so that is subject to the same heavy penalties. This will entail surely a renegotiation in economic terms of the contracts, whereas it an external manager will risk a lot more than today for the conduct of its business.

But what about an employee of a company that, according to its designation, risks the same penalties of the organization on which he depends (unlike for example of his own CEO that is not called to account in the same way)? In this context, hardly be anyone will accept a designation as internal Data Processors with the new rules of GDPR, even in presence of generous compensation. By contrast, nothing prevents the Owner to create its own organizational privacy with appropriate attribution of different levels of responsibilities and tasks among the various figures. It is therefore likely that the figure of the internal Data Processors will be destined to disappear, replaced by less demanding roles in terms of objective responsibilities.

Category: Legal framework Roles and Liabilities

About Giancarlo Butti

Deals with ICT, organization and legislation since the early 80s covering different roles: security manager, project manager, auditor at banking groups, consultant in security and privacy to companies of different sectors and sizes. Performs regular activity of dissemination through articles (over 700), books (21 between books and white papers also used as university texts, 11 collective works within the ABI LAB, Oracle Community for Security and CLUSIT), technical manuals, courses, seminars, conferences… participates in working groups to ABI LAB on Business Continuity, Risk and GDPR, ISACA-AIEA on GDPR and 263, Oracle Community for Security, UNINFO, ASSOGESTIONI and the Committee of experts for the innovation of OMAT360. He is a member of the faculty of ABI Training. He is a partner and proboviro of ISACA-AIEA Member of CLUSIT and BCI. He is certified (LA BS7799), (LA ISO IEC 27001:2013), CRISC, ISM, DPO, CBCI, AMBCI.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.