The UK Information Commissioner’s Office (ICO) is consulting on draft GDPR guidance on contracts and liabilities between controllers and processors. The guidance seeks to help organisations understand what must be included in contracts under the GDPR, and the new responsibilities and liabilities of processors.
The GDPR sets out the minimum mandatory terms which must now be included in contracts between a controller and a processor. The GDPR allows for standard contractual clauses to be drafted by the European Commission or supervisory authorities to be used in contracts between controllers and processors, but none have been drafted to date.
The GDPR also imposes direct statutory obligations on processors. This means processors, in their own right, will be subject to fines, and liable to pay compensation to data subjects for any damage caused by breaching the GDPR. Where a controller or processor has paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controller or processor involved, that part of the compensation corresponding to their responsibility for the damage suffered (subject to the processor only being liable for non-compliance with processor-specific GDPR obligations or if acting outside the controller’s instructions). This is a significant change in the legal landscape, as processors currently only have to comply with the terms of the processing contract, and despite the existence of such a contract, controllers currently remain ultimately liable for any breaches of data protection law caused by the actions of their processors.
Organisations should review and update existing contracts, as any contracts in place on 25 May 2018 will need to meet the requirements of the GDPR. Any template contracts being used will also need to be reviewed to ensure compliance with the new requirements. It is important for organisations to factor in the time required to agree new contractual provisions, as more protracted contractual negotiations are likely to occur in order to address the increased obligations of processors and ensure appropriate risk allocation for data breaches.
The consultation is open from today until 10 October 2017. The ICO hopes to publish the final guidance later in 2017, depending on developments at EU level.
Further information on the new contractual obligations and liabilities of processors is available in our GDPR Guide for Businesses, available to download here.