One year and six months ago, the European General Data Protection Regulation (GDPR) came into effect. For the world - or at least businesses -  life didn’t end on the 25.05.18, neither have we seen massive amounts of fines given to small and medium-sized companies after that date.

We are still more or less in the implementation phase of the regulation, learning to look at personal data processing in a new way. As webmasters or site administrators we also may have received a new role, even if we didn’t ask for it: the role of a data processor.

This article is part of GDPR overview: Decrypting the regulation in series.

What is involved in data processing?

Where there is a register containing personal data, there is always a controller and very often also data processor(s). If someone, either a person or organisation, is processing data on a controller’s behalf, that person is a processor. At this point, it’s good to take a look at what GDPR means with regard to data processing. The definition in GDPR’s article 4, paragraph 2, covers a wide set of operations ‘which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.

Am I a data processor?

In general, we could say that if we provide services to our customers, any more than just provide a website to them with a quickstart package, we may well find ourselves in a data processor’s role. Of course, this is valid only if personal data is involved in the site. When looking at the list of operations set out in GDPR article 4, paragraph 2 (also in the previous paragraph), we can easily understand that it is actually difficult to avoid the processors’ role, especially if you have access to the site’s backend. As a matter of fact, we may in many cases want to take care of many of those actions on a site owner’s behalf, just to avoid mess and confusion. Nevertheless, the way we became data processors (if we have) is an essential key factor in understanding the obligations and responsibilities involved with that role. Actually, in many cases, we may have a better awareness of the obligations of GDPR than the controller, who may be as an entrepreneur the only person in their company.

Important requirements and obligations for data processor

The responsibilities of a data processor are widely described in GDPR’s article 28. First of all, the processor has to provide appropriate technical and organisational measures (TOMs) to meet the requirements of the regulation and ensuring the protection of the rights of persons whom personal data is involved (data subjects). Also, the personal data should only be processed by following documented instructions from the controller. Data processors also need to take all security measures described in article 32 which include responsibilities concerning security and confidentiality matters, but it also refers to the need of a backup policy, or as it is said in the regulation: ‘the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident’.

But even if we have all the TOMs in place as processors for our customers, is there any way to document our compliance efforts? Well, GDPR is also about trust and the sign of a Data Processing Addendum/Agreement is the minimum action that can establish trust between both parties (Data controller and Data processor).

Some practical tips for webmasters

If all of our customers were well aware of the requirements of GDPR and rushing to perform the required measures accordingly, implementing GDPR would be easy peasy for all of us. But since often the opposite is true, we have an important role in spreading the awareness of privacy matters among our customers. Here are some practical tips about where to start:

• First: See if there is personal data involved in the site you administer. If not, you are good to go BUT: you could suggest to your customer to add the company’s privacy policy documentation to the site. This is a best practice and not just a GDPR requirement.
• In case personal data is involved in the site, try first to get an overview of the situation and possible risks. Your customer is probably the controller and responsible for taking the proper measures but in the worst case, he/she may not be aware of it. So, especially if you find yourself (and maybe unwillingly) in the data processor role, discuss it with your customer and tell him/her about the controller’s legal responsibilities
• Good documentation is essential. Keep notes of your discussions with customers and save emails. Insist on written instructions for data processing as well as other agreements (DPA).
• Have an overview of the site and data processing practices in place (from your point of view) and inform your customer if you find deficiencies.
• Keep always in mind that your role may be in many ways vital in achieving GDPR compliance in your customer’s company, especially in small and micro-sized companies.
• Learn the fluent usage of the Joomla Privacy Tool Suit (J! 3.9->)  and utilize it in your customer projects.

Legal disclaimer: This article contains general information about legal matters. The information is not advice, and should not be treated as such. You should not rely on the information on this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. You should never delay seeking legal advice, disregard legal advice, or commence or discontinue any legal action because of information on this website.

This article has been proofread by Philip Walton. My special thanks also to Achilleas Papageorgiou for his invaluable contribution.