Many companies have started the potentially lengthy process of auditing their service provider contracts to make sure that they comply with the requirements of the General Data Protection Regulation, which comes into force on May 25, 2018.

Fortunately for those companies that are trying to kick-start their contract audit process, the UK Information Commissioner’s Office (ICO) is forging ahead with its promised series of guidance documents to help companies get ready for the GDPR. The latest addition is a draft guidance note on the GDPR’s requirements for contracts between data controllers (the folks who make decisions about what personal data will be processed, and for what purposes) and data processors (the folks who carry out processing activities on behalf of a data controller).

The requirement that there be a contract between data controllers and their data processors is not itself new.  Current EU data protection law requires data controllers to have contracts with data processors governing the security of the personal data held by the processor and requiring processor to process the personal data solely in accordance with the instructions of the controller.

But the contract requirements under the GDPR are much more expansive. Continue Reading Have you started auditing your contracts with your service providers that handle EU personal data?  UK Information Commissioner’s Office issues draft guidance for compliance with the GDPR’s contracting requirements.