Featured in JEP’s Expert Panel – 28th February 2018
A:
It is highly likely that they will need updating prior to 25 May 2018. This is one of the most important areas of GDPR i.e. the contractual relationship between the data controller and the data processor.
While ultimately the responsibility is with the data controller to demonstrate compliance with GDPR, these contracts must now contain key obligations as required by A28 of GDPR, such as the processor having appropriate technical, security and organisational measures in place, commitment to confidentiality, details of the exact processing to be done to the controllers personal data, ability to exercise data subject rights and assisting the controller in matters of compliance with GDPR. Such contracts must also be very clear in relation to data transfer arrangements, data retention and deletion criteria required by the controller.
Where the processor operates outside these specific contractual requirements, the processor and controller are exposed to penalties for non-compliance to GDPR.
A suggested approach would be to start looking at key contracts where personal data is being processed, effectively those high risk areas, such as outsourced payroll, cloud/managed computing services, direct marketing and financial services agents, if applicable.