ICO provides guidance on selecting data processors

The General Data Protection Regulation (GDPR) requires data controllers to only use data processors that provide "sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject".

The checklist produced by the Information Commissioner's Office (ICO), set out in new GDPR guidance on contracts, is aimed at helping businesses satisfy themselves that prospective processors – which can include cloud providers and others that personal data processing is outsourced to, including companies within the same group – provide 'sufficient guarantees'.

The ICO said data controllers should assess the processors' "expert knowledge, resources and reliability", and provided a list of other checks they can perform on processors.

Controllers could check the extent to which processors "comply with industry standards", review "relevant documentation", such as processors' policies on privacy, record management and information security, and whether they adhere to approved codes of conduct or a certification schemes under the GDPR, when such codes and schemes become available, the ICO said. 

The watchdog also said controllers could check whether processors have "sufficient technical expertise" to assist them in meeting their obligations under the GDPR, such as in implementing appropriate security measures, reporting data breaches and conducting data protection impact assessments. The GDPR requires processors to assist controllers in complying with such duties.

"This is not an exhaustive list, and ultimately it is for the controller to satisfy itself that the processor provides sufficient guarantees in the context of the processing," the ICO said. "Whether the guarantees are sufficient will depend on both the circumstances of the processing and the risk posed to rights of individuals."

The ICO has also issued guidance on contracts and liabilities between controllers and processors.

Michele Voznick of Pinsent Masons, the law firm behind Out-Law.com, said the guidance summarises provisions written into the UK's new Data Protection Act and helpfully reiterated that controllers need to monitor processors throughout the period of processing and not just "sign a compliant contract then forget about it".

The GDPR requires processors to only process in accordance with the instructions given to them by controllers, unless required to do otherwise under EU or EU member state law. The ICO confirmed that existing practices around how instructions are often given can continue – it said data controllers do not need to set out their instructions on processing in the data processing contract, and can instead do so "using any written form, including email", so long as that instruction is" capable of being saved".

The ICO said that if a processor acts outside of the controller’s instructions "in such a way that it decides the purpose and means of processing, including to comply with a statutory obligation", then it "will be considered to be a controller in respect of that processing and will have the same liability as a controller".

The ICO also addressed the timeliness of obligations on processors to delete data under the GDPR in its guidance.

The GDPR requires data processing contracts to make provision for the deletion or return of personal data by data processors at the end of the processing contract, and for the deletion of copies of the data unless storage is required by EU or member state law. However, the ICO acknowledged that "it may not be possible for data in backups or archives to be deleted immediately on termination of a contract".

"Provided appropriate safeguards are in place, such as the data being put immediately beyond use, it may be acceptable that the data is not deleted immediately if the retention period is appropriate and the data is subsequently deleted as soon as possible, e.g. on the processor’s next deletion/destruction cycle," the ICO said.

Many businesses may need to update their contracts to comply with the GDPR's new provisions relating to the data controller and data processor relationship, the ICO said.

Data protection law expert Kathryn Wynn of Pinsent Masons recently explained that there is a lot of confusion about the concepts of 'controllers' and 'processors' of personal data, and set out how organisations can determine which category they fall under.