ICO publishes detailed guidance on the controller-processor relationship

Back in September 2017 the ICO published some draft guidance for consultation setting out their views on how to interpret Chapter IV (including Article 28) of the GDPR.

Chapter IV of the GDPR sets out responsibilities of Data Controllers and Data Processors. Whilst the general responsibility of a Data Controller is to apply the data protection principles to their business and uphold the GDPR from a compliance perspective, this section of the GDPR also sets out strict controls around the Controller and Processor relationship. Specifically:

  • The Controller should have a written contract in place (containing specific terms) with any Processors it uses to process its data
  • Because Controllers are responsible for ensuring compliance, they must ensure that they only use Processors which enable them to meet these compliance requirements
  • Processors have their own responsibilities and duties under the GDPR (something which doesn’t exist under the Data Protection Act 1998)

The ICO have now published their detailed guidance as a result of this consultation. They’ve done this in two parts.

Detailed advice and guidance about being a Data Controller or Data Processor

This is some useful guidance about how to determine whether you’re a controller, processor or a joint controller and what responsibilities apply accordingly. They’ve had similar guidance in the past, but it has been updated to the GDPR age and is useful to help any business understand where they fit when it comes to processing personal data.

Remember a Data Controller is the organisation that collects and determines how personal data is used. A Data Processor is an organisation that processes that data on behalf of the Controller. Where things get tricky is when a Controller passes data to a Processor who determines how it will be processed – depending on the circumstances the Processor may not be a Processor, but a Controller. For example if you pass you invoicing details to an accountant to process, then they will still be a Controller for carrying out their accountancy duties, not your processor.

The guidance from the ICO explains how to determine if you’re a Controller or Processor or joint Controller and what this means.

Detailed advice and guidance regarding the Article 28 contractual obligations

Once you’ve understood whether you’re a Controller or Processor and what the GDPR requires in terms of your responsibilities, Article 28 of the GDPR also requires there to be a contract between the Controller and Processor to determine the nature (and compliance) of the processing. Specifically the regulations require there to be a contract in place that says the Processor:

  1. Only process the personal data on the documented instructions of the Data Controller
  2. Only process the data outside the EU on the documented agreement with the Data Controller
  3. Ensure that any personnel processing the data for the Data Processor are fully up to speed with data protection law and duties of confidentiality
  4. Ensure that all processing is done with technical and organisational measures in place to ensure the security of processing
  5. Only engage sub-processors with the permission of the Data Controller as well as accept liability for ensuring the sub-processors are compliant and bound by similar rules
  6. Assist the Data Controller with its duties to deal with individuals’ rights (e.g. subject access requests)
  7. Assist the Data Controller with its obligations relating to security, data breaches and data protection impact assessments (DPIA)
  8. At the choice of the controller either delete or return (securely) data at the end of the processing activities
  9. Makes available to the controller all information necessary to demonstrate compliance which includes contributing to and allowing the controller to carry out audits and inspections

This contractual obligation has led to various ways to implement these terms, the most common being the use of a data processing agreement (or DPA) either as a standalone contract or as an addendum or part of existing contracts and terms of service.

The detailed guidance from the ICO considers these contract terms and also sets out the various duties and responsibilities for Controllers and Processors. Unfortunately, when it comes to the contractual terms they don’t say much more than what is on the face of the GDPR and in areas like the audit requirements and the Processor assisting the Controller, we could have done with more detail about what these might actually entail.

Worried what it means for your business?

Truthfully, we could have done with this detail before May (GDPR deadline) rather than 6 months after the GDPR came into force, but at least in fairness most of what is being said by the ICO in these two new guidance sections aren’t really a surprise in terms of their content. Businesses have been soldiering on with their compliance and getting their DPAs in place and thankfully there’s no surprises in the guidance that should worry any Controller or Processor who has already spent time and consideration in meeting their compliance obligations in this area.

So, if you’ve already put contracts in place and made a stab and determining your processing “status” then there’s really no change. Of course, if you’re reading this and thinking you really need to sort this out for your business, then that’s what the Digital Compliance Hub is all about. Helping businesses get to grips with what they need to do to comply with the GDPR (and other regulations too). With information and guidance in plain English and a helpline for when you need to ask some questions, specific to your business. Sign up today for a free trial – we’ve got a section dedicated to the Controller-Processor relationship.