The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

In detail

Is this a big change?

Under the Data Protection Act 1998 (“the 1998 Act”), a controller that employed a third party to process personal data on its behalf (a “processor”) could demonstrate its compliance with the security principle by having a contract in place with the processor.

Typically, this contract would have required the processor to only act upon the controller’s instructions and to take appropriate measures to keep the personal data secure.

Under the GDPR, there is a separate obligation to have a contract. Also, contract requirements are more wide-ranging and are no longer confined to just ensuring the security of personal data. They aim to ensure that the processing of personal data, by a processor, will comply with all the GDPR’s requirements and protect the rights of data subjects. The GDPR sets out specific terms that must be included in the contract, as a minimum.

The contract must state details of the processing, and must set out the obligations and rights of both the controller and the processor. It must also include the standards the processor has to meet when processing personal data.

This is a significant change to what the 1998 Act required. However, in practice, existing contracts may have already included some of the new requirements for commercial reasons or as good practice under the 1998 Act.

The GDPR also allows the contract to include standard contractual clauses issued by the European Commission or a supervisory authority, such as the ICO. Again this is a significant change in the law but, initially at least, it should make little practical difference as standard clauses are not yet available.

In the future, processors may be able to demonstrate they provide ‘sufficient guarantees’ to process personal data in line with the GDPR by adhering to an approved code of conduct or certification scheme. No such codes or schemes have been approved so far so, initially at least, this should make little practical difference.

The main difference is that processors now have direct GDPR responsibilities and obligations, outside the terms of the contract. Processors can be held directly responsible for non-compliance with their GDPR obligations. They may be subject to administrative fines or other sanctions and liable to pay compensation to data subjects.

What are the key changes to make in practice?

If you haven’t already done so, you must ensure any contracts which were in place as of 25 May 2018 meet the GDPR’s requirements.

Controllers and processors should therefore check their existing contracts to make sure they contain all the required elements. If they don’t, it’s essential to either amend existing contracts or get new contracts drafted and signed, and to review all template contracts in use.

It would also be prudent for controllers to make sure their processors understand the reasons for the changes and the obligations that the GDPR puts on them. The processor should understand that it may also be directly subject to an administrative fine or other sanction if it does not comply with its obligations.