On 13 September 2017, the UK Information Commissioner's Office (ICO) published draft guidance on contracts and liabilities between controllers and processors under the GDPR.

The draft guidance does not add substantial detail to the provisions of the GDPR, but it is a useful reminder of the key points. For example, it highlights the requirement for a written contract between the controller and any of its processors and summarises the provisions that the GDPR states must be included in the contract, specifically:

  • The subject matter and duration of the processing
  • The nature and purpose of the processing
  • The type of personal data and categories of data subjects
  • The obligations and rights of the controller
  • The obligations of the processor

It is unlikely that current controller-processor contracts will cover all of these points, so existing contracts will need to be reviewed and updated to address these requirements. Consultation on the draft guidance closes on 10 October 2017.