ICO GDPR updates and resources

February 2019 update

Thanks to member Muriel Esposito who alerted us to the Brexit Hub on the MRS, which tackles the thorny topic of data transfers from the EEA to the UK in case of no-deal Brexit. https://www.mrs.org.uk/standards/brexit-hubc

It has the merits of being clear with access to further resources, such as the ICO's contract builder from controller to processor, including standard contractual clauses: https://ico.org.uk/for-organisations/data-protection-and-brexit/controller-to-processor-contract-builder/controller-to-processor-contract/

Other resources

The ICG recently ran a webinar on this topic – to view, click here.

The Information Commissioner's Office has published more information and resources to help companies prepare for GDPR.

• Getting ready for GDPR –  a non-legal tool to assist in the creation of an inventory of personal data processed, map the processing of personal data and analyse the legal basis of the processing
• An overview of the key changes
• ICO's Guide to the GDPR has been updated to include additional guidance about the public task lwaful basis and documentation of processing activities
• They have also launched FAQs designed to help small businesses
• GDPR myth busing blog posts
• … and I am sure there is more available on their website
• 10 operational responses to GDPR from IAPP
• Article on the value of and responsibility for personal data by Rosie Picton and Kourosh Newman-Zand from Axis-Mundi
• Blog pulling together various GDPR resources
• Legal basis for processing explanation and tool
• My customer: advice on how to prioritise your activity 

They are also working on some 'resources' which will help organisations' efforts to reach their customers and service users about changes brought about by GDPR.  It is not clear what these resources will be, but they are hoping to have them ready by the beginning of March – we will update you on these as they are published.

Other resources include:

• Chime Insight & Engagement CEO, Crispin Beale, looks at the fundamentals that researchers need to know

• GDPR Advisor's (Lesley)resource pack designed specificially for market research
• The extremely useful Future Learn course – which we published last year and which they are now rerunning…
• Marketing Week 'setting the scene' webinar –  If you register with Marketing Week you can watch the replay
• Marketing Week webinar tackling the specific topic of legitimate interest 
• ICO guidance on legitimate Interest
• Facebook group: It is being run by someone who used to work in Richard Branson's legal team.  It is aimed mainly at online businesses and entrepreneurs, but a lot of the principles apply to companies like ours, as they are small businesses and consultancies.  Suzanne posts a video every day, answers questions on the site and has templates and advice available to purchase
• GDPR notice from Research Now – see download on the right

Contracts

We are increasingly being asked to review and sign contracts which have been updated with GDPR clauses.  One member kindly shared some recent advice recevied from a lawyer on this issue…

This clause in some form seems to be fairly standard:  "In the event that a third party makes a claim against xxx (client) which relates to the processing activities of service provider or which relates to a service provider¹s breach of this clause 3, the service provider shall indemnify xxx (Client) in full and on demand in respect of any losses, liabilities, costs or expenses of xxx (client) relating to such third party claim"

Advice from lawyer said:  there are two problems here.  The first is that this potentially makes you liable to xxx (client) in circumstances where  you have not been at fault, e.g. because there was a failure to obtain data subject consent where it was necessary.  The second is that you are not covered yourself if xxx (client) cause you damage.  I would suggest you add words to the end of this clause reading ³The Service Provider shall not be liable to xxx (client) under this clause where the third party¹s claim arose as a result of any failure by xxx (client) to obtain any necessary consent from a data subject, or as a result of any breach by xxx (client) of Data Protection Legislation. Xxx (client) shall also indemnify the Service Provider in full and on demand in respect of any losses, liabilities, costs or expenses of the Service Provider relating to any claim which a third party may make against the Service Provider which arises as a result of any failure by xxx (client) to obtain any necessary consent from a data subject, or as a result of any breach by xxx (client) of Data Protection Legislation.²