I have recently been talking to a few companies selling technology solutions to businesses and the mention of GDPR usually leads to either of those two comments:
- I don't think we are impacted.
- What is GDPR?
The General Data Protection Regulation (GDPR) is an evolution of the current European Directive on Data Protection, enshrined in UK laws by the Data Protection Action. In May 2018 the GDPR will replace member States' data protection laws bringing - bringing a single legal text across the EU.
Many businesses probably are considering that their current DPA "compliance" will get them covered for GDPR. It won't. They need to wake up to the reality way before May 2018 when the regulation goes live.
Such wake up call might come from Articles 24 and 28 of the regulation. Businesses dealing with customer personal data will have to ensure that the processing of those data by their suppliers (processors) matches the requirements of the regulation. So controllers have a responsibility to select processors that are meeting the requirements of the regulation.
The regulation says "The controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation."
This means that if you are handling customer data on behalf of you clients (if you are a marketing company or a cloud provider) then your clients will eventually want to "re-paper" their contract with you before GDPR comes in play. This is to cover their obligations, they will ask you to cover yours.
So if you are a processor then don't wait for that email or call from your clients, have a look at the ICO's website, they have plenty of information there to give you an understanding of it and help you with guidances and ways you can start a GDPR project.