The Information Commissioner’s Office (ICO) has just issued timely advice in the form of Guidelines (see below for link) with regards to the duties and responsibilities of data controllers (controllers) and data processors (processors) which is especially pertinent for those engaged in email marketing. The Guide contains a considerable amount of information on the differences between the two roles. As normal with the ICO, the wording is clear and informative.
I say timely as new regulations will come into force later this year and we will revisit the subject nearer the time. However, there is lots you can, and it would appear should, be doing now to get ready for the change.
The Guide follows the route of giving examples to clarify those points which often cause problems for those with responsibilities for data. They are useful although it must be remembered that they are quite specific and so should not be followed blindly.
What is emphasised a number of times, so one would assume it has given rise to queries in the past, is that the controller has ultimate responsibility and this cannot be devolved onto a processor. If the latter makes an error then the controller is the one liable unless they can prove, by notes and documentation preferably, that they exercised due diligence.
This shows a common theme in the Guide: the creation of records. Without such support it is difficult to prove the defence. It goes on to suggest that both controllers and processors should have written contracts which clearly define roles and responsibilities. The Guide makes it apparent that, in the ICO’s opinion, general instructions, given verbally, are not sufficient.
The ICO frequently gives advice based on problems experienced by companies in the past so it is obvious they feel such contracts could have helped in these cases. Take the hint: produce contracts.
The Guide is a very useful tool which will help ensure that you do not fall foul of the legislation, both current and new. Whilst it is not, perhaps, riveting reading, it is essential for anyone with an email marketing list. It is also useful for controllers and processors, helping them to understand what they should do.