Insights Information Commissioner’s Office consults on draft GDPR guidance on contracts and liabilities between controllers and processors

Contact

The General Data Protection Regulation (GDPR) will apply in the UK from May 2018 and replaces the Data Protection Act 1998.

The ICO explains that the GDPR builds on the existing requirement of principle 7 of the DPA (security measures) to have a written contract in place between a controller and processor. The GDPR requires much more: it specifies the detailed terms such a contract must contain with the aim of setting high standards and protecting the interests of data subjects.

Processors have new responsibilities and liabilities in their own right under the GDPR. Both controllers and processors may now be liable to pay damages or be subject to significantly increased fines or penalties.

The ICO’s draft guidance on contracts and liabilities explains to controllers what they must include in contracts, and sets out what responsibilities and liabilities processors have under the GDPR.

The ICO is running a short consultation on the draft guidance to gather the views of stakeholders and the public. These views will inform the published version of the guidance.

The ICO says that it is provisionally aiming to publish this guidance later in 2017, although this timescale may be affected if it needs to take account of developments at the European level. The ICO intends to publish this guidance as a series of linked webpages that can be downloaded as a pdf.

The consultation closes on 10 October 2017. To access the consultation, click here.

Expertise