Who: Information Commissioner’s Office (ICO)
Where: UK
When: 13 September 2017
Law stated as at: October 2017
What happened:
On 13 September 2017, the ICO published draft GDPR guidance for consultation in relation to contracts and liabilities between controllers and processors. Following the short consultation, which closed on 10 October 2017, businesses must now wait as the ICO aims to publish its final guidance later this year.
Under the GDPR, the relationship between a controller and processor must be governed by a contract which, whilst not a new concept, must address a wider set of requirements than under existing data protection laws. Existing contracts are typically restricted to ensuring that the processor acts only upon instructions from the controller and requiring the processor to take appropriate measures to keep the relevant personal data secure. However, many companies will now find themselves facing the practical challenge of reviewing all of their processor contracts to ensure they suitably cover the additional details and reflect the specific circumstances for the processing activities. This may include, for example, providing details of the processing, ensuring processors provide suitable assistance to enable the controller to comply with its obligations and requiring processors to allow for, and contribute to, audits by the controller or their representatives.
The draft guidance is useful in that it sets out the requirements to be included in contracts between controllers and processors and highlights the important fact that processors now have direct responsibilities and obligations under the GDPR. However, it fails to address, in any detail, what a GDPR-compliant contract may look like. The guidance points out that standard contract clauses may, at some point, be provided by the European Commission (or, indeed, the ICO). However, with no such clauses currently available, responsibility for ensuring compliant contracts remains solely with controllers and their processors.
Consequently, many businesses have no doubt raised questions to the ICO, including the following:
- is the requirement of a contract under Article 28 an obligation on the processor as well as the controller (i.e. who may be liable for not having a compliant contract in place)?
- to what extent must assistance be provided by a processor to ensure the controller’s compliance with its obligations?
- when must a processor flow down contractual obligations to a sub-processor?
- which entities in the processing chain may a data subject seek compensation from in the event of a breach?
Why this matters:
Controllers and processors should already have contracts in place in accordance with current data protection laws, but many face a difficult challenge to bring all of their contracts in line with the increased requirements under the GDPR. This won’t be helped by the lack of attention given in the draft guidance to the practical difficulties faced by businesses or the ambiguities in the drafting of the GDPR. The ICO has indicated that it will aim to publish the final guidance later this year and many will be hoping it addresses the lack of clarity in its predecessor.