If you are acting as a Data Controller
The obligation to have a contract with a data processor remains part of the new data protection framework. However, the new rules require the inclusion of additional obligations on data processors.
In addition to the current obligations for a processor to act on the data controller’s instructions and to maintain appropriate technical security and organisational measures, the GDPR will require data processing agreements to oblige data processors to:
- impose confidentiality obligations on all personnel processing relevant data for the data processor;
- abide by the GDPR’s rules regarding the appointment of sub-processors (essentially processors cannot appoint sub-processors without a data controller’ prior consent, thus ensuring the data controller has a full understanding of the way in which their data is processed);
- implement procedures to assist the data controller to comply with the rights of data subjects;
- assist the data controller in complying with other regulatory requirements, such as complying with rights of data subjects and carrying out data protection impact assessments and obtaining approval from relevant data protection authorities;
- return or destroy personal data at the end of the data processing relationship (at the data controller’s choice and where to do so would not contravene other retention laws); and
- provide the data controller with all information required to demonstrate compliance with the GDPR – this may involve including audit or inspection provisions.
Guidance from the ICO:
Twelve Steps to prepare yourself:
Use the ICO checklists to assess your compliance with data protection law and find out what you need to do to make sure you are keeping people’s personal data secure.
Once you have completed each self assessment checklist a short report will be created suggesting practical actions you can take and providing links to additional guidance you could read that will help you improve your data protection compliance.