Stephanie Coulson, Commercial Law and Data Protection Specialist at Muckle LLP, talks about the implications the new General Data Protection Regulation (GDPR) has on the relationship between organisations and their data processors.
The latest hot topic on GDPR is the nature of written contracts between data controllers and data processors. Data controllers collect and “own” the data. If you use third parties to process that data, then you have data processors. They could be in the form of a marketing consultancy, hired to analyse your data, or simply a third party server used to store your data, for example. A formal contract between data controllers and their data processors is essential to comply with next year’s regulations. Recently, the ICO has issued guidance on the subject. So what’s new? Data processors will have direct obligations under GDPR, a significant shift from the current Data Protection Act. GDPR introduces specific terms that must be included in any contract between a data controller and a data processor. These are over and above what’s needed to comply with the security principle of the Data Protection Act.These additional terms help organisations manage their data processors and the risks attached to their role. They will also help data controllers comply with the new data protection principle of accountability and give data subjects more confidence in how their data is managed. These contracts will need to contain, and here’s the legal bit, a minimum of: full details of the processing and the personal data to be processed the fact that the processor can only act on the written instructions of the controller that the employees of the processor must be under confidentiality obligations that appropriate measures will be in place to ensure security details on how and when the personal data will be deleted that the processor will assist in the controller’s compliance with GDPR, including assisting with subject access requests, data breach management and audits that the processor will not sub-contract without consent of the controller if consent is given to sub-contract, the obligations on the processor must be replicated in its contract with any sub-processors.What should businesses do now? The first step for any organisation is to identify all the processors you engage with. Once established, check and perhaps amend any contracts in place, or agree new contracts if there aren’t any. Remember, the ICO has a helpful checklist you can follow to make sure your business is set up to comply.
The first step for any organisation is to identify all the processors you engage with.
Stephanie Coulson, Muckle LLP