ICO publishes draft guidance on the Controller – Processor relationship

Chapter IV of the GDPR sets out responsibilities of Data Controllers and Data Processors. Whilst the general responsibility of a Data Controller is to apply the data protection principles to their business and uphold the GDPR from a compliance perspective, this section of the GDPR also sets out strict controls around the Controller and Processor relationship. Specifically:

  • The Controller should have a written contract in place (containing specific terms) with any Processors it uses to process its data
  • Because Controllers are responsible for ensuring compliance, they must ensure that they only use Processors which enable them to meet these compliance requirements
  • Processors have their own responsibilities and duties under the GDPR (something which doesn’t exist under the Data Protection Act 1998)

On the 13th September, the Information Commissioner’s Office (ICO) published some draft guidance for consultation (deadline 10th October) setting out their view on how this section of the GDPR is to be interpreted.

What the Guidance says

  • By 25th May 2018 all Controller – Processor contracts should meet the specific requirements of the GDPR, particularly in terms of the contractual arrangements as set out in Article 28(3). This contract needs to be put in place each time a Controller contracts with a Processor. These contractual terms also need to exist if a Processor sub-contracts it’s Processing to a third party. Standard contractual terms, provided by a statutory authority (e.g. the ICO or EU Commission) can be used, but none exist at the moment
  • A Controller must ensure that it only uses a Processor who can demonstrate it complies with GDPR and as well as contractual terms, needs to demonstrate it has taken appropriate actions to ensure ongoing compliance when using the Processor. The Controller must also provide documented instructions to the Processor on what processing is to take place and the Processor must only act on those instructions
  • A Processor also has responsibilities under the GDPR to co-operate with the ICO, ensure its processing is secure (including obligations to report data breaches), keep records of processing activities, if appropriate employ a Data Protection Office (DPO) and appoint a representative within the EU where needed

What does this mean in practice?

  • Data Controllers are likely to carry out due diligence on their Processors to ensure the Processor enables them to be compliant with the GDPR and that the Processor themselves uphold the rules of the GDPR (as it will be the Controller that would be liable)
  • We should expect contract updates and negotiations in terms of the Controller / Processor agreements
  • Processors now have new responsibilities under the GDPR that they did not have had before and will need therefore, to carry out their own compliance checks

Who’s impacted by the new Processor rules?

A Processor is defined in the Regulations as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” (Article 4).

On the face of it you might think that this just means Processors whose clients have outsourced their marketing, but actually it’s much more complex than this. The consultation document provides some examples:

A specialist private company provides software and data analysis to process the daily pupil attendance records of a state maintained school for an annual fee.

A public body uses a private company to administer and carry out assessments of individuals in relation to certain state benefits.

The readers of a monthly science magazine receive a hard copy delivered to their home. Their subscriptions and the mailings are handled by a company which is separate from the magazine publisher, and it does so at the publisher’s request.

A marketing company sends promotional vouchers to a hairdresser’s customers on the hairdresser’s behalf.

and refers to existing Data Protection Act guidance to further help determine whether you’re a Controller or Processor.

Essentially you need to consider whether you are facilitating the processing of data for your clients. If you are then you’ll be a Data Processor and have the new obligations to consider. In the digital world, that can mean the following types of services/companies can be considered a Data Processor:

  • Digital marketing companies who use their client data for marketing
  • Software as a Service providers (SaaS) and software companies who host their software for their clients
  • Hosting providers – if you provide hosting for WordPress websites for example, if those websites process personal data (e.g. because they’re an eCommerce site) then you will need to consider your role as a Data Processor

The Information Commissioner’s Office is seeking views on the consultation by 10th October.

Worried what it means for your business?

Don’t be worried. That’s what the Digital Compliance Hub is all about. Helping businesses get to grips with what they need to do to comply with the GDPR (and other regulations too). With information and guidance in plain English and a helpline for when you need to ask some questions, specific to your business. Sign up today for a free trial.

If you want to know more about what the GDPR means to you as a processor, on the 25th October we’re running a GDPR briefing specifically looking at the relationship the GDPR has for software providers (particularly SaaS). You can sign up via our Training & Workshop section via Eventbrite (HINT: the briefing is free to Digital Compliance Hub subscribers).