Contractors to have their say on GDPR contracts

Contractors have just today to feedback on “wider” contractual requirements under the GDRP, to be put in place between those who store people’s data and those they hire to process it.

In fact, October 10^th is the closing date to respond to the Information Commissioner’s draft guidance on the contracts and liabilities between ‘controllers’ and ‘processors’ they appoint.

Addressing the former, which could be a public body or corporation, the ICO says it will be “prudent” to check that the latter, such as their contractor, is up to speed with the obligations.

In particular, the contract between the two parties must state details of the data processing carried out, and must set out the processor’s obligations, the commissioner says.

'Significant change'

Its guidance adds that this requirement includes the standards the processor must meet when processing personal data, and the permission it needs from the controller for the processing.

“This is a significant change in what is required by law, but in practice you may already include many of the new contract requirements in your existing contracts”, the ICO said, addressing controllers.

In practical terms, the change means that any new or existing contract in place from May 25 2018, and between a processor and a controller, should contain the processor’s ‘guarantees.’

In essence, these are promises to the controller that its consultants -- those processing data on its behalf -- will be GDPR-compliant, explains IT consultancy Gibbs Hybrid.

'Sufficient guarantees'

The guidance confirms: “Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.

“In the future, using a processor which adheres to an approved code of conduct or certification scheme may help controllers to satisfy this requirement”.

And so-called 'sub-processors' are caught too. “Whenever a controller uses a processor (a third party who processes personal data on behalf of the controller) it needs to have a written contract in place.

“Similarly, if a processor employs another processor it needs to have a written contract in place.” The commissioner did not example sub-processors, but it did illustrate what it means by the party who the sub-processor, potentially a contractor, would work on behalf of.

“A specialist private company provides software and data analysis to process the daily pupil attendance records of a state maintained school for an annual fee,” it exampled.

The new contractual requirement would also apply where “a public body uses a private company to administer and carry out assessments of individuals in relation to certain state benefits.”

Penalties

But Gibbs Hybrid hinted the part of the guidance which would catch contractors’ attention is where it tells controllers, “Your processor should understand that it may be subject to an administrative fine or other sanction if it does not comply with its obligations.”

The consultancy’s Punam Tiwari reflected: “With GDPR coming into full force by May 2018, many companies have a huge amount at stake if they fail to follow the rules -- which could lead to payments of up to 4% of the company’s revenue or a fine of 10,000,000 Euros.”

She advised: “Businesses need to ensure that they have granular contracts in place with consultants, which set out the responsibility of contractors to maintain a record of processing personal data – how, where and why data will be processed and the data subject should be at the forefront of the data controller’s mind”.