Hi,
while I understand that GDPR is an evolution, there are some differences aren't there, and I wonder if I've understood them correctly. For example, as I understand it, while under data protection, liability was mainly with the data controller, under GDPR, data processors also now have some liability and can be fined in their own right. There is also a specific requirement to include particular minimum clauses in any contracts between controllers and processors, and the ICO has been consulting on guidance for this - this was their draft guidance in September: https://ico.org.uk/media/about-the-ico/consultations/2014789/draft-gdpr-contracts-guidance-v1-for-consultation-september-2017.pdf
What we're trying to work out is whether this means we have to write or rewrite contracts between the museum and suppliers of things like collections management systems, cloud-based systems like email etc that are much more explicit than they would have been under data protection, or whether the companies supplying such things will adapt contracts to meet GDPR, and what those contracts will look like, as the guidance seems a bit vague. If a processor is supposed to give controllers ‘assistance’ with data subjects' requests, what does that mean, how much would it cost, and who would pay?
Maybe we've over complicated the issues or misunderstood, so I would be interested to hear how others are approaching this.
Sian Woodward
****************************************************************
website: http://museumscomputergroup.org.uk/
Twitter: http://www.twitter.com/ukmcg
Facebook: http://www.facebook.com/museumscomputergroup
[un]subscribe: http://museumscomputergroup.org.uk/email-list/
****************************************************************
