The Information Commissioner’s Office (ICO) releases GDPR guidance on “contracts and liabilities between controllers and processors.”
Ahead of the May 2018 deadline for GDPR enforcement, the ICO has released a 28-page document providing “detailed, practical guidance for UK organisations on contracts between controllers and processors under the GDPR.” The document aims to explain the requirements and responsibilities of data controllers as well as the new liabilities of processors. The document points out that many of the requirements may already be covered by existing contracts, but that the expansion and clarification of contractual clauses to evidence compliance with all aspects of the new regulations will likely be necessary.
Under the new regulations, contracts will be required between data controllers (the organisations responsible for the holding and use of the data) and data processors (those involved in the collection and ‘processing’ of data). This written contract or “other legal act” is to “evidence and govern” the working relationship of both parties. Under the current rules, these contracts are only advised as a measure to demonstrate compliance when necessary.
It is noted that “standard contractual clauses” as well as certification schemes for contractual codes of conduct provided by the EU Commission or a supervisory authority such as the ICO will be allowed and encouraged by the GDPR, but that as yet none have been drafted.
Emphasis is given to the GDPR’s expansion of liability to include data processors as well as controllers, the former now liable to pay damages or become subject to penalties if not found compliant. On top of this, processors will need to have contracts with other processors (sub-processors) if they are to utilise their services, with written authorisation from the controller.
What needs to be included in the contract:
Contracts must explain:
- The subject matter and duration of the processing
- The nature and purpose of the processing
- The type of personal data and categories of data subject
- The obligations and rights of the controller
Contracts must, as a minimum, require the processor to:
- Only act on the written instructions of the controller
- Ensure that people processing the data are subject to a duty of confidence
- Take appropriate measures to ensure the security of processing
- Only engage sub-processors with the prior consent of the controller and under a written contract
- Assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR
- Assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
- Delete or return all personal data to the controller as requested at the end of the contract
- Submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
Common Thread Network (CTN) announces Patricia Poku as new co-chair alongside Information Commissioner Elizabeth Denham
The CTN, the forum for data protection and privacy authorities among Commonwealth countries, has appointed a new co-chair to sit alongside the incumbent UK Information Commissioner. The decision was made at the CTN Annual General Meeting on 25th September. The organisation promotes cross-border co-operation for data security and privacy objectives.
Patricia Poku, also recently appointed as Executive Director and Member of the Board for the Data Protection Commission of Ghana, has worked as Head of Data Protection for the 2012 London Olympic Games and Global Director for Data Protection & Privacy at World Vision International.
With the rise of cybercrime and data abuse as international phenomena, not only on the level of government operative activities but also syndicate-level action usually involving the use of malware and the new universal digital currency Bitcoin, transnational co-operation is more important than ever, and gaining in participants. In July, South Africa joined the CTN and in August, the Cayman Islands issued its first Data Protection Bill, working for “adequacy with the EU directive,” the GDPR.
That the GDPR necessitates organisations outside the EU fulfilling data protection adequacy standards with EU member states if they wish to do business or in any way process data in Europe indicates that the best-practice policies encouraged by the GDPR may find global traction – and organisations such as the CTN have an important role to play in these processes. GDPR-level policies and practices will be especially desirable given the emphasis the ICO has been putting on the benefits to consumer trust that robust data protection provides. It should be viewed that in a global digital economy, data protection best-practice makes commercial sense.
Written by Harry Smithson