ICO Advises Business to Revisit Contracts to Comply with GDPR
The Information Commissioner has been writing a series of blogs to explain the practical impact of the new data protection laws to replace the Data Protection Act (the DPA).
The General Data Protection Regulation (GDPR) will come into force on 25 May 2018, and a new UK Data Protection Bill will closely reflect the GDPR.
Amongst the headlines for the GDPR are fines of €20m or 4% of annual turnover (whichever is greater) for failure to comply. There are other changes such as data breach reporting, higher standards for consent and new obligations on data processors.
Under existing EU data protection laws (including the DPA), data controllers (people who determine what personal data is processed) need to have written agreements with data processors (people who process data on their behalf, such as cloud service providers, data storage or data destruction companies) containing certain key requirements such as the data processor processing the data controller's data in accordance with the data controller's instructions.
From 25 May 2018, the provisions that are required to be contained in those agreements are changing and increasing. In addition, for the first time, there are direct obligations under the data protection laws for data processors (rather than just data controllers) to comply, so it is in the interests of both sides to have compliant agreements.
In her latest paper on the impact of the changes in data protection laws, Elizabeth Denham, the Information Commissioner, has said existing contracts need to be updated to reflect the new requirements.
"Any contracts in place on 25 May 2018 will need to meet the new GDPR requirements," she said. "You should therefore check your existing contracts to make sure they contain all the required elements. If they don't, you should get new contracts drafted and signed. You should review all template contracts you use. It would also be prudent to make sure that you processor understands the reasons for the changes and the new obligations that the GDPR puts on it. Your processor should understand that it may be subject to an administrative fine or other sanction if it does not comply with its obligations."
One change under the GDPR is that businesses that use data processors have to ensure that those service providers can provide sufficient guarantees to implement technical and organisational measures to comply with the GDPR requirements and protect the rights of data subjects.