Consultation: Contract Guidance for Data Controllers/Processors Under #GDPR

The Information Commissioner has published draft guidance for data controllers and processors on their contracts and liabilities under the General Data Protection Regulation, for comment by 10 October 2017. GDPR takes effect in the UK from 25 May 2018, but a lot of preparation is required, including reviewing and updating contracts for personal data processing.

The guidance is intended to explain what data controllers must include in contracts; and what responsibilities and liabilities data processors have under the GDPR.

As a sign of the complexity and uncertainty in this area, the ICO adds that its guidance "will need to continue to evolve to take account of any guidelines issued in future by relevant European authorities... as well as our developing experience of applying the law in practice"...

Privacy Not Core To Your Business? Take The ICO's 12-Step Programme

Though years in the making, it's possible that word of the EU's data protection reforms has yet to penetrate some boardrooms, let alone the IT development roadmaps of UK plc, and the UK Information Comissioner is very concerned that Britain will not be ready to comply. So much so that it has created a new website to urge preparation for the new law - even though the draft directive is not due to be passed until after the UK's referendum on EU membership, and will not take effect until mid-2018. 

Brexit fans should still be concerned. The US will tell you that appropriate privacy safeguards are just one cost of doing business with Europe, and the UK will also need to comply in substance if it is to qualify for cosy trade deals as a non-member of the EU. 

The ICO recommends starting with this 12-step programme.