There is a certain degree of confusion as to the comparative responsibilities of data controllers (controllers) and data processors (processors). If you have data, you must have a controller. To put it simply, it is their responsibility if it all goes wrong. They have a distinct legal responsibility.
Processors work under controllers. If they make an error then the controller will generally be held liable. A personal defence for a controller is to show due diligence in regards to the training and supervision of a processor, and, naturally, the security of the data.
With the imminent arrival of new legislation, the EU Data Protection Regulation*, replacing the EU Data Protection Directive, 95/46/EC., the Information Commissioner’s Office (ICO) has taken it upon itself to publish new guidance** to take into account the changes, and to clarify the items in the current regulations which will not be changing.
The guide covers the duties and functions of controllers and processors, which have not changed, in a comprehensive and clear document. It is well worth reading. It is free of pointless jargon and there is little complexity.
One over-riding principle with regards data suggested in the guide is that all matters pertaining to its security and the processes you have established are recorded in writing and records must be detailed.
If your company has few staff then it is likely that the function of controller is the sole one despite your email marketing list. Your systems must be rigid enough to support this. Do not think that the guidance is something you can safely ignore.
The ICO makes it clear that it expects contracts for controllers and processors to stipulate responsibilities precisely and that the general woolly wording of such matters, often nothing more than verbal instructions, which is common now will be frowned upon.
The ICO gives specific examples to clarify the points they are making and in this they are quite successful. However, the situations as described are specific. These are, as stated, for guidance only and not for reference. Care should be taken to ensure that you do not make assumptions as to their application to your situation. Much in email marketing is specific.
They show that merely following the instructions of a client does not, in the circumstances described in the guide, absolve the controller of a company from responsibility with regards to data. Further, it might be summarised as when one company is acting for or with another, it is probably not sufficient to nominate one as the controller. In certain circumstances, both companies require a controller.
The guidance goes on to clarify controller to controller responsibilities. This is particularly useful.
The ICO has a habit of clarifying certain legal niceties. This follows their tradition of making it clear and easily understood. It also means that ignorance of such requirements is not seen as a complete defence.
I would certainly advise anyone in running a company which retains data on an email marketing list to read the Guide. Further, I suggest it might be a good idea to ensure your controller does as well. A precisely worded contact would be a safeguard to both you and your controller.