ICO issues draft guidance on contracts between data controllers and data processors
What must be included within a contract between a data controller and a data processor to ensure compliance with the General Data Protection Regulation (GDPR)?
The GDPR significantly alters the balance of obligations, responsibilities and liabilities between controllers and processors of data. It mandates that when a controller uses a processor, it must have a written contract in place covering data security and all key aspects of the relationship.
The Information Commissioner’s Office (ICO) has issued draft guidance to assist organisations in preparing or updating their controller/processor contracts. The ICO confirms its interpretation of the GDPR, and provides a general recommended approach to ensure compliance.
The ICO outlines that, as per the GDPR, controller/processor contracts must set out:
- the subject matter and duration of the processing
- the nature and purpose of the processing
- the type of personal data and categories of data subject, and
- the obligations and rights of the controller.
Further, the following mandatory minimum terms must be included, requiring the processor to:
- only act on the written instructions of the controller
- ensure that people processing the data are subject to a duty of confidence
- take appropriate measures to ensure the security of processing
- only engage sub-processors with the prior consent of the controller and under a written contract
- assist the controller in allowing data subjects to exercise their rights under the GDPR
- assist the controller in meeting its GDPR obligations, and
- delete or return all personal data to the controller as requested at the end of the contract.
The ICO also outlines the key responsibilities of each party. Controllers, for instance, will ultimately be responsible for ensuring that personal data is processed lawfully – regardless of the use of a processor, the controller may be subject to any of the sanctions set out in the GDPR. In a similar vein, if processors act outside the documented instructions of a controller, they will be considered a controller and be subject to the same liabilities and sanctions. Subprocessors won’t escape the responsibilities either – their contracts must contain the same legal obligations as set out in the main contract.
Another difference is that processors now have direct responsibilities and obligations under the GDPR, outside the terms of the contract. Processors can be held directly responsible for non-compliance with these obligations, or the contract terms, and may be subject to administrative fines or other sanctions and liable to pay compensation to data subjects.
Why is this important?
Although the requirement for controller/processor contracts is not new (and, indeed, already considered good practice by most organisations) the level of detail and mandatory terms outlined by the GDPR represent a significant change.
Any practical tips?
Contracts in place on 25 May 2018 will need to meet the new GDPR requirements – so now is the time to check whether your current agreements contain all the necessary elements. The changes required by each organisation will be dependent on how the business’ contracts currently deal with data protection.