• Home
  • News
  • Big Data & Analytics
  • DevOps
  • Security
  • GDPR
  • AI & ML
  • Women in Tech
  • Cloud & Infrastructure
  • CIO
  • Deskflix
  • Events
  • Whitepapers
  • Spotlights
  • IT Leaders 250
  • Research
  • Delta
  • Tech Marketing Hub
  • About Us
  • Newsletters
  • Sign in
  •  
      • Newsletters
      • Account details
      • Contact support
      • Sign out
     
     
    • You are currently accessing Computing via your Enterprise account.

      If you already have an account please use the link below to sign in.

      If you have any problems with your access or would like to request an individual access account please contact our customer service team.

      Phone: +44 (0) 1858 438800

      Email: customerservices@incisivemedia.com

      • Sign in
     
  • Follow us
    • Twitter
    • LinkedIn
    • Newsletters
    • Facebook
    • YouTube
  • Register
  • Events
    • Upcoming events
      event logo
      Deskflix Financial Services

      oin us for this episode of Deskflix to hear from industry experts and peers on their 2020 best practices, what they’ve learnt for 2021 and how they plan to overcome the next wave of disruption.

      • Date: 03 Mar 2021
      event logo
      Good listeners: Why conversational interfaces are now a must-have

      This webinar, featuring dedicated research, will explore how conversational interfaces can add value to your digital initiatives today. We discuss the benefits of putting the AI to work and the value of the conversational channel itself.

      • Date: 17 Mar 2021
      • Virtual Event,
      event logo
      Deskflix IT Leader's Summit

      Six months on from our inaugural IT Leaders’ Festival, Deskflix IT Leaders’ Summit is a chance to take stock and reflect on the first quarter of 2021. How did you overcome the obstacles of 2020? Was progression as expected? What were your biggest threats and biggest growth opportunities?

      • Date: 24 Mar 2021
      event logo
      Architect for the unknown: Is your database built for a crisis?

      This webinar, in which we’ll reveal Computing’s latest research in this area, reflects on how prepared our respondents’ data architecture was going into the pandemic and the role databases have to play in the ability to react and pivot in a crisis.

      • Date: 25 Mar 2021
      View all events
  • Whitepapers
    • LATEST WHITEPAPERS
      Darktrace 120x194
      Cyber AI Response: Threat Report 2019

      This white paper details 7 case studies of attacks that were intercepted and neutralised by Darktrace cyber defense AI, including a zero-day trojan in a manufacturing company's network. Learn how Darktrace Antigena AI Response modules fight back autonomously, no matter where a threat may emerge, extending to the Cloud, Email and SaaS.

      Download
      Darktrace 120x194
      Cyber AI & Darktrace Cloud

      This white paper explores how cloud is a security blind spot for many organisations who struggle with the limited visibility and control in this new environment, where their existing security tools are often not applicable.

      Download
      Find whitepapers
      Search by title or subject area
      View all whitepapers
  • Spotlights
    • Spotlights

      Welcome to Computing's Spotlight section, where we focus in on particularly important themes and topics of enterprise IT.

      Intel logo

       

      Endpoint Management and Security Hub

  • IT Leaders 250
  • Research
  • Delta
  • Tech Marketing Hub
  • About Us
Computing
Computing
  • Home
  • News
  • Big Data & Analytics
  • DevOps
  • Security
  • GDPR
  • AI & ML
  • Women in Tech
  • Cloud & Infrastructure
  • CIO
  • Deskflix
 
    • Newsletters
    • Account details
    • Contact support
    • Sign out
 
 
  • You are currently accessing Computing via your Enterprise account.

    If you already have an account please use the link below to sign in.

    If you have any problems with your access or would like to request an individual access account please contact our customer service team.

    Phone: +44 (0) 1858 438800

    Email: customerservices@incisivemedia.com

    • Sign in
 
  • Legislation and Regulation

Contracts and liabilities between controllers and processors under GDPR

The draft guidance aims to help data controllers and data processors understand their roles

Contracts and liabilities between controllers and processors under GDPR
Contracts and liabilities between controllers and processors under GDPR
  • Rocio de la Cruz
  • 11 October 2017
  • Tweet  
  • Facebook  
  • LinkedIn  
  • Send to  
0 Comments

In September, the ICO opened a consultation period on its draft guidance, which provides practical guidelines for UK organisations on contracts between data controllers and processors under the GDPR.

The draft guidance includes an overview of the mandatory provisions that will need to be in place between controllers and processors from May next year, and stresses the requirements of their statutory obligations.

The guidance aims to help both parties to understand their roles and to find compromising solutions for them to be able to have the mandatory provisions in place. It is also seeking UK organisations' views as to whether the guidance provides the level of detail and clarification that they need to properly address this requirement.

The consultation closed yesterday, and despite that the guidance may not provide sufficient details on every single point. However, it does include a lot of useful content that can be easily understood and followed, e.g. a controller and processor contracts checklist.

What are the current obligations?

The Seventh Principle of the Data Protection Act 1998 places an obligation on controllers for them to ensure:

  • that they have chosen a processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing of data - meaning an IT security audit needs to be carried out; and

  • that they have put in place a written contract stating that the processor will only act under the instructions of the controller and that they comply with data security obligations equivalent to those imposed on the controller.

The GDPR regime - updates that are opening discussion

The GDPR enhances the current obligations and includes a set of mandatory provisions that need to be included in the agreements between data controllers and processors. These provisions are not new; in fact, many data protection practitioners have been using them for years to clarify positions and minimise risks. However, the fact of this becoming mandatory is opening new points of discussion between parties that require special attention; for example regarding additional fees, the extent to which both parties will collaborate with each other and identifying what data fits into the category of "being processed on behalf of the controller", amongst other things.

In light of this, many organisations are struggling to understand who would be responsible if one of the parties does its best to renegotiate a current agreement and the other party refuses to do so. Initially, you may conclude that the party refusing would be the responsible or liable one. However, the obligation of having suitable provisions in place is the controller's responsibility under the GDPR.

It seems that each case where parties do not find a compromising solution should be analysed on a case-by-case basis. This has raised concerns among controllers, as it may be difficult to simply change provider if they already have invested most of their budget on an existing contract. Would they be given more time - for example, the extension of the period that for certain cases would apply under Recital 171 of the GDPR - to find a solution without breaching the regulation?

We hope to hear more about this and other concerns related to this topic from both the ICO and the Article 29 Working Party.

In the interim, organisations will generally find the ICO's draft guidance useful to the extent that it explains why contracts between controllers and processors are important; it makes a distinction between what content is mandatory and what provisions are recommended for good practice. It also clarifies the processors' contractual obligations and what their direct responsibilities are under the GDPR - the understanding of which is crucial for service providers.

Rocio de la Cruz is principal associate at Gowling WLG

Further reading

HMRC gears up for GDPR with search for data protection officer
  • Careers and Skills
  • 22 September 2017
UK Data Protection Bill will exempt journalists and researchers
  • Legislation and Regulation
  • 14 September 2017
New Data Protection Bill to give UK citizens 'right to be forgotten'
  • Communications
  • 07 August 2017
'No evidence' that government understands the seriousness of Brexit for data protection
  • Threats and Risks
  • 18 July 2017
  • Tweet  
  • Facebook  
  • LinkedIn  
  • Send to  
  • Topics
  • Legislation and Regulation
  • GDPR
  • General Data Protection Regulation
  • Regulation
  • legislation

More on Legislation and Regulation

Facebook blocks news in Australia
Facebook blocks news in Australia, PM describes the move as 'arrogant' and 'disappointing'

Web traffic to Australian news sites has dropped by about 30 per cent

  • Legislation and Regulation
  • 19 February 2021
Rights groups seek ban on biometric surveillance
Rights groups seek ban on biometric surveillance

'Biometric mass surveillance brings Internet-style omnipresent tracking to the offline world' say campaigners

  • Privacy
  • 17 February 2021
Brussels on the verge of issuing a positive data adequacy decision for UK
Brussels on the verge of issuing a positive data adequacy decision for UK

The European Commission could announce the decision as early as this week

  • Compliance
  • 17 February 2021
Cloud Providers at risk of £17m fines after NIS Regulations update
Cloud providers at risk of £17m fines following NIS Regulations update

Updated regulation changes law from requiring an incident to cause immediate threat to life or significant adverse impact on the UK economy, to merely requiring a significant risk or significant impact in relation to service provision, meaning that any...

  • Cloud Computing
  • 03 February 2021
Kuan Hon, director of the Privacy, Security & Information Law team at Fieldfisher
GDPR - Your questions answered on Data Protection Day

Dr W Kuan Hon, director in the Privacy, Security & Information Law team at Fieldfisher, answers IT leaders’ enduring questions about GDPR around data erasure, subscriber data and Schrems II

  • Legislation and Regulation
  • 28 January 2021
blog comments powered by Disqus
Back to Top

Most read

'Silver Sparrow' malware infects about 30,000 Macs worldwide
'Silver Sparrow' malware infects about 30,000 Macs worldwide
NHS faces legal challenge over Palantir contract
NHS faces legal challenge over Palantir contract
Google fires AI ethics lead Margaret Mitchell
Google fires AI ethics lead Margaret Mitchell
UK tech jobs surpass pre-pandemic levels, despite rising unemployment
UK tech jobs surpass pre-pandemic levels, despite rising unemployment
Oxford University confirms breach of its Covid-19 lab
Oxford University confirms breach of its Covid-19 lab
  • Contact
  • Delta
  • Marketing solutions
  • Enterprise IT Events
  • Incisive Media
  • Terms & conditions
  • Policies
  • Careers
  • Twitter
  • LinkedIn
  • Newsletters
  • Facebook
  • YouTube

im_logo

© Incisive Business Media (IP) Limited, Published by Incisive Business Media Limited, New London House, 172 Drury Lane, London WC2B 5QR, registered in England and Wales with company registration numbers 09177174 & 09178013

Digital publisher of the year
Digital publisher of the year 2010, 2013, 2016 & 2017
Loading