Those of you who were on any of our recent GDPR webinars will be aware that data controllers (e.g. a payroll bureau client) need to be amending their contracts with any data processors (e.g. the payroll bureau) to accommodate the new requirements under the GDPR.
For those of you who did not get to attend our webinars here is a brief overview.
Whenever a data controller uses a data processor there needs to be a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. The GDPR sets out certain information which needs to be included in the contract.
Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects (an individual who is the subject of personal data) protected.
Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.
What does this contract look like?
To comply with the new requirements under GDPR you could either:
Our Advice to Payroll Bureaus
Our advice to payroll bureaus is that when it comes to GDPR you should aim to take an active role in educating your clients about GDPR.
Although the onus is on data controllers to ensure contracts are in place, payroll bureaus looking to get ahead of the GDPR would be well advised to approach their clients and instigate putting the appropriate contracts in place.
Template Data Protection Agreement (DPA)
To assist our customers we have created a template Data Protection Agreement which can be used as an addendum to any existing agreements.