The introduction of the new data protection rules, GDPR, is less than 6 months away. It seems that many businesses have started taking action in preparation for the implementation in May 2018.
For those who have not looked at the GDPR, a good starting point is to determine if you are a data controller or a data processor.
What is the difference between a data processor or a data controller?
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
The GDPR introduces new legal obligations on data processors, including a requirement to keep records of personal data and processing activities. Data processors will have legal liability if it is responsible for a data breach.
Data controllers must ensure that they have written contracts in place with data processors and that it complies with GDPR. The ICO website has a checklist to assist you with the basic contents of such a contract.
Apart from the agreed contractual obligations between controllers and processors, the GDPR adds further responsibilities for data processors, which include:
- not to use a sub-processor without the prior written authorisation of the data controller;
- to ensure the security of its processing;
- to keep records of processing activities;
- to notify any personal data breaches to the data controller;
- to employ a data protection officer.
The ICO has issued a GDPR self-assessment checklist for data controllers and data processors which is designed to assess an organisations' level of compliance with the GDPR.
You're on our blog and updates site, which is hosted by Markel Law Hub, a digital hub powered by the award-winning lawyers at Markel Law, bringing you real law, made easy.
Find out more about Law Hub here.
Before undertaking our self assessment checklist to help your organisation get ready for the GDPR, you should first determine whether your organisation processes personal data as a “data controller” or “data processor”. The definition of these two terms can be found in the Guide to the GDPR. In some instances, organisation will process personal information as both a controller and a processor. When this is the case, we would advise you complete both assessments.