Contracts. Love them or hate them, you can't do without them under GDPR
24 Jan 2018
So, how did you get on with writing your list of clients and suppliers involved in your 'personal data infrastructure'? Odds are it's quite a lengthy list. Every one of these organisations needs to ensure that their contractual roles are clearly defined ready for the GDPR and new Data Protection Act. The ICO issued its guidance some time ago (www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/) which is pretty self-explanatory and essentially says that the one thing both processors and controllers can't do without in future are clear, explicit contractual terms on which to process personal data.
At some stage the ICO will be providing model terms and statement for use in data processing contracts, but I doubt they will be seen before the 25th May. Word has it that the Direct Marketing Association is working on an update of their existing Data Processing Agreement Template (www.dma.org.uk/article/data-processing-agreement-template), which should be available long before the ICO's and should be gratefully received by Controllers and Processors alike.
However, for now you have some immediate challenges to consider:
• Do you have contracts in place for all your data processing partners, clients and suppliers?
• If not, are your internal or external lawyers prepared for what may be a substantial workload?
• Do you need to reflect the probable resource, delay and change impacts on your business' plans and prospects over the next few months?
• If your clients or suppliers are ahead of you in proposing new or amended contract terms are they potentially skewing responsibilities and liabilities excessively in your direction? You need to avoid that all costs.
Please login to comment.
Comments