Consultancy and data protection
June 2019
1. Introduction
Consultants will have rights as data subjects, as well as possible obligations as data processors depending on what services the consultant is providing to the client
They may even be data controllers in some limited circumstances: See ICO guidance ‘Data controllers and data processors: what the difference is and what the governance implications are’.
On 25 May 2018, a new regime for data protection came into force under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018), which replaced the Data Protection Act 1998 (DPA 1998). It is crucial that any processor status is established at the outset as the GDPR imposes significant obligations on data processors.
2. Consultants as data subjects
The data subject is the identified or identifiable living individual to whom personal data relates (section 3(5), DPA 2018). As with the DPA 1998, a consultant (or the individual, where the consultancy is through a service company) will be a “data subject” and the client will be a “data controller” for the purposes of the GDPR and the DPA 2018. Therefore, clients must process the personal data of their consultants in accordance with the GDPR and the DPA 2018.
The GDPR introduces increased rights for data subjects. They will have the right, among other things, to be informed about how their data is being processed and why, the right to be forgotten under certain circumstances, and the right to data portability which allows a data subject to obtain and reuse their personal data for their own purposes across different services.
Clients will also have to provide consultants with a privacy notice, which is used as a means of notifying them about the personal data that the client holds relating to them, and how they can expect their personal data to be used and for what purposes.
Historically, consultancy agreements may have included clauses by which the consultant consents to the client holding and processing their personal data. However, this type of generic consent is no longer so helpful under the GDPR since it can be withdrawn at any time.
The Information Commissioner’s Employment Practices Code uses the term “worker”, and is expressed to include “casual staff” and “contract staff”. It is therefore at least arguable that the Code will apply to the client-consultant relationship (and this is the approach that the Information Commissioner’s Office (ICO) has informally indicated that it would take). Although the Code was produced under the DPA 1998, there is nothing so far to suggest that it does not also apply under the new regime.
See Information Commissioner: Employment Practices Code here.
3. Consultants as data processors
As well as being a data subject, the consultant might also be a “processor” (or even a “controller”) depending on what they do for the client. Before the GDPR, consultants may have been controllers or processors, so those concepts are not new. However, the GDPR significantly expands the obligations imposed on data processors and gives processors direct responsibilities and obligations with respect to authorities (such as the ICO) and individuals As a result, processors can be held directly responsible for non-compliance with their obligations.
Given the new obligations and responsibilities, it is important that consultants and clients give this thought before entering into (or continuing) a consultancy agreement. If necessary, consultancy agreements should be amended.
Clients and consultants will have to consider the fairly general definition of “processor” and “processing” under the GDPR to draw their own conclusions as to whether the consultant is in fact a processor.
The “processing” of personal data means an operation (or set of operations) which is performed on personal data. This includes (but is not limited to) the collection, recording, organisation, structuring or storage of that data, which is a broad definition. One example of a consultant who processes personal data might be an HR consultant who advises clients on day to day HR issues, such as disciplinary and grievance issues, since they will have access to details of the client’s employees. On the other hand, an HR consultant who advises clients on HR strategy might not process personal data.
And see here for ICO guidance on contracts and liabilities between controllers and processors.
Assuming that a consultant is a data processor who processes data on behalf of the client, who is the controller, the GDPR:
• Requires the consultant to enter into a written contract incorporating specific terms with the client and to process personal data only according to the client’s instructions.
• Restricts the consultant’s ability to engage a substitute, or sub-processor, by requiring the consultant to seek the client’s written authorisation to do so. If the client gives its authorisation, the consultant must put in place a contract with the substitute or sub-processor which offers the same level of protection for the personal data as that in the contract between the client and consultant.
• Requires the consultant to implement “appropriate technical and organizational measures” to secure personal data. This effectively means that the consultant must put in place the same security measures as the client is taking itself.
• Requires the consultant to maintain records of their processing activities.
• Requires the consultant to notify the client if the consultant becomes aware of a personal data breach without undue delay.
Some of these obligations will have a major financial impact on an individual consultant, such as the requirement to implement appropriate technical and organisational measures to secure personal data, and it may be that the only way to manage this is to pass the cost on to the client. The restrictions on appointing sub-processors will also have an impact on the ability to appoint a substitute.
One of the most important developments under the GDPR which will have an impact on consultants who are data processors is making them directly liable for damages, fines and penalties for breach of their obligations. Consultants and clients should therefore consider whether there is adequate insurance in place to cover these eventualities.