The General Data Protection Regulation (GDPR), which replaces the EU Data Protection Directive, is a comprehensive data protection regime aimed at achieving a high level of security of network and information systems across the EU and giving individuals greater control over their own personal data. The GDPR will apply to all EU member states from 25 May 2018 and will impose significant compliance issues for any organisation which holds ‘protected data’. The Government has indicated that the GDPR will remain on the UK statute books after Brexit. To this end, a new Data Protection Bill has been introduced to Parliament that will transfer the GDPR into UK law, replacing the Data Protection Act 1998 and introducing new data protection rights that take into account developments in digital technology and the way organisations often collect a wide range of information about people.
Under the GDPR, processors have new responsibilities and liabilities in their own right and both controllers and processors may be liable to pay damages or be subject to fines and penalties. Also, the written contracts between controllers and processors must contain specific detailed terms.
The Information Commissioner’s Office is running a short consultation on draft guidance on the responsibilities and liabilities of processors under the GDPR and what must be included in written contracts. Responses must be submitted by 10 October 2017.