GDPR for Contractors

General data protection regulations (GDPR) guidance for contractors

GDPR or the General Data Protection Regulation, is the EU’s effort to update and upgrade data protection laws across the whole of the EU, to bring it in line with how data is actually being used across the digital world by huge firms such as Facebook and Google. Given that the UK currently remains part of the EU, we will automatically be bound by the GDPR which will replace the Data Protection Act 1998 (the DPA 1998), brought into effect in the UK to implement the 1995 EU Data Protection Directive. The GDPR is due to come into effect from 25 May 2018.

The new regulations essentially try to give individuals more control over how companies use their data, and some of the key changes we are going to see include larger penalties arising from non-compliance, and increased responsibility and liability being positioned on data controllers and data processors.

Who does the GDPR apply to?

Both data controllers and data processors will need to comply with the GDPR. A controller is essentially the party who determines the purpose and manner that personal data is to be collected and processed, and the data processor is the party that processes the data on behalf of the data controller.

It is the data controller who has the obligation to ensure that their data processor complies with the GDPR, however the data processor must also ensure to abide themselves and maintain records of their activities given that if processors find themselves involved in a breach, they will be much more accountable under the GDPR than previously under the DPA 1998.

Will the GDPR affect contractors?

Due to the nature of the work, it is highly likely that services provided by contractors will involve the processing of personal data, meaning that you will need to consider the GDPR going forward, ensuring that data is processed in a way which is GDPR compliant, ensuring security and confidentiality and avoiding any unlawful processing.

Under the GDPR:

“Personal data” includes “any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

“Processing” means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

Next steps

The GDPR states that as a processor you must provide your client with "sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject".

Therefore, in order to become properly prepared for the implementation of the GDPR in practice, you should consider the following:

• Reviewing your existing contracts with clients and amending the same (or having a separate document drawn up) setting out the responsibilities of each party relating to GDPR.
  
  
• Keeping records of all processing activities carried out on behalf of a controller, to include the client’s instructions on the processing to demonstrate you are acting on documented instructions from the controller.
  
  
• Asking your clients for written authorisation if you are to engage another processor (for example if you provide a substitute).
  
  
• Ensuring all individuals processing your client’s data are subject to confidentiality obligations.
  
  
• Ensuring you have the correct procedures in place to detect, report and investigate a personal data breach – Personal data breaches may result in individuals losing control over their data and to avoid this the GDPR makes controllers and processors accountable for monitoring and reporting on the same.
  
  
• Putting in place procedures to ensure that at the end of your services and in line with the client’s instructions, you delete all data (including copies) or return it all to the client.
  
  
• Familiarising yourself with the ICO’s code of practice on Privacy Impact Assessments (PIA) – A PIA is intended to show that the client has looked at all of the issues surrounding privacy rights and it demonstrates the steps that may have been taken to safeguard these. Although these are the controller’s responsibility, you are obliged to assist the client with the same.

In addition to considering the above we advise that you review the relevant guidance issued by the ICO, and seek legal advice relating to compliance procedures and documentation. Not only will you need to ensure that your internal procedures are GDPR compliant, but a legal specialist would also be able to review and advise in relation to your data protection rights and obligations contained in any written agreements you may have with clients.