Hi Sian
In terms of existing contracts - Under GDPR, it would be very sensible indeed to re-issue contracts with these providers to ensure that as data controllers, you demonstrate that you have taken your increased responsibilities under GDPR seriously. They in turn, will need to demonstrate that as data processors of your personal and/or sensitive data they too step up and demonstrate that they are fit to process your data,
and moreover contractually oblige to you that they are. If they are reputable, they will be keen to show you that they are serious about GDPR and they should not complain. I would expect only those that don't take their GDPR responsibilities seriously will complain and then you should seriously reconsider if you want them to process your personal data. As a data controller, you will be responsible for a SAR, but again they need to demonstrate that if they are
Processing your personal data, they will assist you to deal with the SAR - whether it is rectifying mistakes, erasure etc.
I hope that helps a little
My best
Naomi
Naomi Korn
Managing Director
Naomi Korn Copyright Consultancy Ltd - Private Limited Company: 7804095
Trustee: CILIP (Chartered Institute of Library and Information Professionals)
Mobile: 079 57761032
Skype: naomi.korn
Twitter: @nkorn
www.naomikorn.com
www.web2rights.com
Sent from my iPhone
> On 21 Nov 2017, at 10:00, Sian Woodward <[log in to unmask]> wrote:
>
> Hi,
>
> while I understand that GDPR is an evolution, there are some differences aren't there, and I wonder if I've understood them correctly. For example, as I understand it, while under data protection, liability was mainly with the data controller, under GDPR, data processors also now have some liability and can be fined in their own right. There is also a specific requirement to include particular minimum clauses in any contracts between controllers and processors, and the ICO has been consulting on guidance for this - this was their draft guidance in September: https://ico.org.uk/media/about-the-ico/consultations/2014789/draft-gdpr-contracts-guidance-v1-for-consultation-september-2017.pdf
>
> What we're trying to work out is whether this means we have to write or rewrite contracts between the museum and suppliers of things like collections management systems, cloud-based systems like email etc that are much more explicit than they would have been under data protection, or whether the companies supplying such things will adapt contracts to meet GDPR, and what those contracts will look like, as the guidance seems a bit vague. If a processor is supposed to give controllers ‘assistance’ with data subjects' requests, what does that mean, how much would it cost, and who would pay?
>
> Maybe we've over complicated the issues or misunderstood, so I would be interested to hear how others are approaching this.
>
> Sian Woodward
>
>
> ****************************************************************
> website: http://museumscomputergroup.org.uk/
> Twitter: http://www.twitter.com/ukmcg
> Facebook: http://www.facebook.com/museumscomputergroup
> [un]subscribe: http://museumscomputergroup.org.uk/email-list/
> ****************************************************************
****************************************************************
website: http://museumscomputergroup.org.uk/
Twitter: http://www.twitter.com/ukmcg
Facebook: http://www.facebook.com/museumscomputergroup
[un]subscribe: http://museumscomputergroup.org.uk/email-list/
****************************************************************
