The GDPR: ICO issues draft guidance on data controller and processor liability

In the run up to the GDPR applying from next year, there has been a variety of practical guidance for compliance at the European level through the Article 29 Working Party (“WP29”) (which reflects the consolidated view of national supervisory data protection authorities in each member state) and at the national level through the UK Information Commissioner’s Office (“ICO”).

Most recently, in October 2017 the WP29 published guidelines on (i) personal data breach notification requirements; (ii) automated individual decision-making and profiling, and (iii) the application and setting of administrative fines. The WP29 has also adopted guidelines on the right to data portability, data protection officers, lead supervisory authorities and on data protection impact assessments.

The ICO has issued a range of guidelines to assist organisations with compliance as well, including a constantly evolving “Overview of GDPR” which is intended to form the ICO’s guide to the GDPR. More recently, the ICO has also issued guidance on: (i) contracts and liabilities between controllers and data processors; and (ii) consent, plus a discussion document on profiling. Subsequent guidance is expected in the run-up to the application of the GDPR.

The draft guidance on contracts and liabilities between controllers and processors sets out the ICO’s interpretation of the GDPR and its general recommended approach to compliance and good practice. This is of particular importance to UK organisations, given that written contracts between controllers and processors are now required under the GDPR rather than being, as they were formerly, the way of demonstrating compliance with the seventh principle of the Data Protection Act 1998 (regarding appropriate security measures). These contracts must include certain mandatory contractual provisions, as a minimum. The terms are designed to ensure processing meets the GDPR’s requirements (including beyond just keeping personal data secure).

The draft guidance clarifies a number of issues relating to mandatory contractual terms and gives practical advice regarding how they should be drafted (see below). The guidance makes it clear that contracts must contain specific details about the data processing being carried out, including subject matter, length and purpose of the processing, the categories of data subjects involved and the types of data being processed. Relevant contracts should be updated to remove generic terms used to describe this information, as the guidance makes it clear they will not be acceptable.

The draft guidance also confirms that contracts must require the processor to tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law within the EU or a Member State. It was previously unclear from the drafting of the GDPR whether this term would be required.

For the first time, the GDPR imposes direct statutory responsibilities and liabilities on processors, outside the terms of the processor-controller contract. Processors, as well as controllers, may now be liable to pay damages or be subject to fines or other penalties. With the significant increase in the sanctions and penalties that can be imposed under the GDPR for non-compliance, the new requirements potentially give rise to a very different risk assessment and negotiating position for organisations.

The majority of the processor obligations are made clear in the GDPR and in the guidance. Processors will be subject to direct responsibilities:

• to ensure the security of its processing;
• not to use a sub-processor without the prior written authorisation of the controller;
• to co-operate with supervisory authorities;
• to keep records of processing activities;
• to employ a data protection officer (if required); and
• to appoint (in writing) a representative within the European Union if needed.

The guidance also emphasises that controllers still have direct liability to data subjects for damage suffered regardless of the use of a processor - unless they are “not in any way responsible for the event giving rise to the damage” under Article 82(3) – a high threshold.Many organisations already have written agreements in place to comply with the existing data protection framework. A key component of any compliance programme ought to include the review of any of these arrangements that will still be in force on 25 May 2018. In doing so it may be necessary to prioritise immediate areas to be rectified based on proportionality and risk, documenting all decisions taken. In particular, you should determine key or high risk contracts (it may be worth conducting a data privacy impact assessment to identify the latter, especially if large amounts of personal data are being transferred). Then you should review the terms to determine for example: (i) what additional provisions or information needs to be included given the wider requirements of the GDPR; and (ii) where the organisation’s liability currently sits (bearing in mind the greater statutory exposure now for both controllers and processors). This will help determine the most appropriate steps to take, whether to renegotiate agreements and the scale and scope of the exercise. In conducting any such exercise it is also a good opportunity to review the cyber security provisions and processes in any agreement more widely as well.

The GDPR allows for standard clauses from the EU Commission or a supervisory authority to be used to aid any redrafting required (none have been issued to date). The GDPR also envisages that adherence by a processor to an approved code of conduct or certification scheme may be used to help controllers demonstrate they have chosen a suitable processor. Standard contractual clauses may form part of such code or scheme, although no such schemes are currently available.

The ICO acknowledges the guidance will continue to evolve to take account of experience applying the GDPR and future guidelines issued by relevant European authorities.

ICO’s draft guidance on data controller and processor liability can be found here.

For further detail of the GDPR and steps to enable organisations to comply with it, please refer to our related briefings here and here.