Click here for a PDF version of this information
The General Data Protection Regulation (GDPR) came into force on 25 May 2018. As the supervisory authority, the Information Commissioner's Office has a wealth of information available for organisations to help you comply with the requirements.
Information Commissioner's Office (ICO) Website
The 'For organisations' tab will provide you with useful practical advice including a data protection self-assessment toolkit. If you haven't already, we recommend reviewing the ICO's Guide to the General Data Protection Regulation.
You may well have seen the '12 steps to take now' from the ICO. Below is some additional content regarding the information you, as a data processor, handle on behalf of ECC (as the data controller).
12 Steps to take now (click image for link)
As a data controller, ECC can only allow our processors to handle information on our behalf with a contract in place. During May 2018 we contacted organisations with our new additional data protection clauses, using the company contact that we had on file in our payments system. We requested organisations sign and return a copy of the letter accepting the additional clauses. If you didn't receive this communication please email us at firstname.lastname@example.org advising of the service you provide for us and we will look into this. It is not advisable to take no action in respect of ensuring the contract is current and accurate as the GDPR places an obligation on Data Processors to advise the Data Controller if the instructions for processing (contract) are not compliant with the obligations of the legislation.
Click here for ECC's Information Policy for Contractors
Lawful basis for processing personal data
Most of the services ECC provide are because we have a statutory duty to, or legislation to adhere to. This means that our legal basis for processing is likely to be compliance with a legal obligation or a task carried out in the public interest in relation to law. Where we have one of these as a legal basis, you are processing information on our behalf in line with that basis.
Where ECC do not have any kind of legislation under which we provide services, these are more likely to be consent based services as something we choose to do rather than something we have to do. It is in these instances where we may need you to gather explicit consent on our behalf. However, limited services will rely on consent.
As our data processor, you must notify us immediately if you become aware of a data breach by emailing us at email@example.com
We need to work together to ensure we protect our customers. Further information about identifying and handling data breaches or security incidents can be found here: ICO data breach guidance
Where you engage another sub-processor in relation to our information, you are responsible for ensuring that they provide the same level of protection and treat the information in the same way you do. Your sub-processors may include your IT and system providers or other organisations who help you provide the service to our customers.
Information must not be transferred to a country outside of the EU without ECC's written permission. The most likely effect this will have on you as our processor is that often IT and systems are provided from outside of Europe, often in the USA. Countries outside of the EU may not provide an adequate level of protection to our data due to differing privacy law. You will need to notify us if our data is processed in this way so that we can ensure appropriate safeguards are in place to permit the processing.
Communicating privacy information
Where ECC collect information and then share with you to provide a service, we must ensure we provide the customer with appropriate privacy information so that they are informed of how we handle that data and who we share it with. This is usually known as a privacy notice and may be on your website or at the bottom of a form.
Where you collect data on our behalf, it is your responsibility to provide the relevant privacy information and that it meets the requirements under GDPR. We will require an assurance that this is in place.
You will need to notify ECC immediately by contacting DPO@essex.gov.uk if you receive a request where a data subject wishes to exercise their rights under GDPR. For instance they may request their information is deleted under 'the right to be forgotten', corrected/completed or restricted.
Link to ECC's privacy notices
We hope this information is helpful to you and we look forward to our continued relationship and commitment to protecting information.
Last Updated: 28 June 2018