The Regulation will have a significant impact on service providers/vendors (i.e. data processors) and organisations that engage them because:
- The Regulation imposes a number of detailed obligations and restrictions directly on processors, unlike the current Directive that only applies to data controller
- A processor will be fully liable for the actions of any sub-processor that it uses to provide its services and will be required to flow down its obligations under the Regulation to the sub-processor
- There are significant penalties which can be imposed on processors for failure to comply with their increased responsibilities and individuals have enhanced rights to seek compensation directly from service providers
- The new law is much more prescriptive about the contractual arrangements that must be in place between controllers and processors than under the current Directive