The new Data Protection Bill will bring the European Union’s General Data Protection Regulation (GDPR) into UK law.
The Bill is due to have its second reading in the House of Lords on 10 October 2017.
See our 10 August news item which details what the Data Protection Bill will cover.
Back to Contents
GDPR guidance on contracts and liabilites between controllers and processors 28 September 2017
The Information Commissioners Office (ICO) has drafted detailed guidance on contracts and liabilities between controllers and processors under the General Data Protection Regulation (GDPR).
What is the difference between a controller and a processor?
The GDPR says that: a controller is a natural or legal person or organisation which determines the purposes and means of processing personal data; and a processor is a natural or legal person or organisation which processes personal data on behalf of a controller. If you are not sure whether you are a controller or a processor, please refer to guidance Data controllers and data processors . Although it is based on the Data Protection Act 1998 (DPA), the parts of the guidance setting out how to determine who is the controller and who is the processor are still relevant under the GDPR. Under the GDPR, when a controller uses a processor it needs to have a written contract (or other legal act) in place to evidence and govern their working relationship. If you are a controller, the guidance (draft) will help you to understand what needs to be included in that contract and why. It will also help processors to understand their responsibilities and liability. There is also a useful controller and processor contracts checklist at the end of the guidance. The guidance sets out how the ICO interprets the GDPR, and includes their general recommended approach to compliance and good practice. As the GDPR is a regulation that applies consistently across the EU, the guidance will need to evolve to take account of future guidelines issued by relevant European authorities, as well as the ICO’s experience of applying the law in practice from May 2018.
The ICO intend to keep this guidance under review and update it in light of relevant developments and stakeholders’ feedback.
CIPP comment The guidance (draft) is open for comment until 10 October 2017. There are just five tick box questions and the option to provide any other comments. You can respond directly to the ICO by email or post.
If you have any concerns or questions regarding compliance with GDPR, please do email details to us at policy .
The ICO will also be producing detailed guidance in 2017 on: children’s data; and accountability, including documentation.
Looking ahead to the new Data Protection Act The GDPR is only a part of the overall data protection framework. The government recently introduced the Data Protection Bill into Parliament. This should become law in 2018 replacing the current Act. It will:
The Chartered Institute of Payroll Professionals
Policy News Journal
cipp.org.uk
Page 50 of 516
Made with FlippingBook - Online magazine maker