Last month, the Information Commissioner’s Office (“ICO”) published its draft guidance on contracts and liabilities between controllers and processors under the GDPR.
The ICO’s guidance is helpful in reiterating that businesses must ensure that its contracts are compliant with the GDPR.
However, it lacks detail in a number of important areas. Our Data Protection team have prepared a comprehensive response to the ICO which is available in full here
In summary, we believe that the draft consultation paper fails to:
provide practical guidance on the general obligation to demonstrate compliance with the GDPR
- set out the ability of a controller or processor to limit, by commercial agreement, the general obligations set out in Article 28 (3) of the GDPR, including to assist the controller with right to be forgotten requests, subject access requests and security breach notifications
- provide sufficient information in relation to the potential requirement on the controller to educate the processor and the new obligations under the GDPR
- acknowledge that the commercial reality is that most contracts will not currently be compliant with the GDPR and that the process of reviewing and updating those contracts is a significant and important exercise which should be carried out before 25 May 2018
- provide practical guidance on how a business can ensure that it complies with the context specific requirements under Article 28 (3) of the GDPR (which should be unique and tailored for each contract) when it enters into a contract on its standard terms and conditions.
Finally, if you would like to read the ICO’s guidance on contracts and liabilities between controllers and processors, it is available here
To read this on our website: please click here