The UK Information Commissioner’s Office (ICO) has issued a new guidance on the liabilities of Controllers and Processors, advising that the Controller is responsible for assessing that its Processor is competent to process personal data in line with GDPR’s requirements.
- The assessment by Controller should take into account the nature of the processing and the risks to data subjects.
- Some considerations:
- the extent to which the Processor complies with industry standards, if applicable
- whether the Processor has sufficient technical expertise to assist the Controller, e.g. in carrying out obligations under Articles 32-36 of the GDPR (technical measures, breach notifications and DPIAs)
- providing Controller with relevant documentation, e.g. privacy, record management and information security policies
- adherence to an approved code of conduct (when available)
- Controllers should continue to monitor a Processor’s compliance, with frequency and methods used to audit compliance depending on the circumstances of the processing.