Conclusion: recalibrating responsibilities
The GDPR's biggest change to outsourcing is the recalibration of responsibilities between controllers and processors. Controllers remain primarily accountable, but the status of processors has been elevated to a much higher level of responsibility than before. The written contract setting out very specific processing commitments remains the cornerstone of this complex balance.
The GDPR's most significant change to outsourcing is the recalibration of responsibilities. Controllers remain primarily accountable for handling personal data, but processors' status has been elevated to a much higher level of responsibility than under the old framework. The duty of both parties to enter a written contract with very specific processing commitments remains the cornerstone of this balance.
Controllers stay primarily accountable; processors are elevated to direct responsibility; the written Article 28 contract is the cornerstone holding the balance together.