I am now living, eating and breathing GDPR on assignment and with other individual clients.

For lots of organisations GDPR compliance is real and genuinely being worked on. This means a complete review of data assets to create data map flows and understand what personal data they collect and process and in what capacity: data controller and/or data processor. This foundation work is the key to achieving and maintaining compliance and the only way organisations can understand their responsibilities.

Joint and several liability for data processing breaches as set out in Article 82(4) is a potential risk if organisations don’t understand their data controller responsibilities with respect to their processors (Article 28) and data processors don’t manage their sub processors properly (Article 28(4)).  The neatest way to achieve this is to determine each party’s role and draft GDPR compliant processing agreements.

However, equally important and something that needs to be worked on sooner rather than later is processor due diligence. Amending processor agreements to enshrine Article 28 may feel like enough to achieve compliance but without underlying due diligence being carried out well in advance of 25 May 2018, all that you may have created is a contract breach on 26 May 2018. Article 29(3)(h) requires processors to make available to the controller all information necessary to demonstrate compliance with the obligations set out in Article 28. This effectively gives controllers the right to audit their processors to ensure they feel that processor compliance is genuine and matches with the processor’s contractual obligations.

Privacy policy redrafts next month.