If you are processing special category data or criminal offence data you need to identify both a lawful basis for general processing and an additional condition (Article 9 condition) for processing this type of data. Having audited your information, you should then be able to identify any risks. * Be specific and granular. ... report serious breaches to the Information Commissioner's Office (ICO) put safeguards in place for security and transfer of data; As health data is one of the special categories of data, you also need to identify a condition for processing special category data under Article 9. Controllers checklist Designed to help you, as a controller, assess your high level compliance with data protection legislation. ☐ We are processing the personal data for the same purpose as another controller. Sign In to access I-TIME timesheets, Pay Stubs, Employee Self Service, W-2's and other State Controller' s Office Web Applications for State Employees, Agencies and Vendors. You should take the time to assess, and document, the status of each organisation you work with in respect of all the personal data and processing activities you carry out. 4 1. ICO is Consulting on its GDPR Guidance Regarding Contract Between Controllers and Processors. The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. * Name your business and any specific third party organisations who will rely on this consent. ☐ We may make some decisions on how data is processed, but implement these decisions under a contract with someone else. Your business is currently registered with the Information Commissioner's Office. The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. * the name and details of your business, each controller you are acting on behalf of, and the controllers’ representative (if relevant), your representative and the data protection officer); As the UK regulator, the ICO oversees all aspects of data protection including the fee register, data protection legislation, guidance on data protection and the use of technology as well as any complaints. However, all joint controllers remain responsible for compliance with the controller obligations under the UK GDPR. Processors act on behalf of, and only on the instructions of, the relevant controller. A GDPR compliance checklist is a tool guide based from the seven protection and accountability principles outlined in Article 5.1-2 of the GDPR. * Keep records of what an individual has consented to, including what you told them, and when and how they consented. Contracts between controllers and processors ensure they both understand their obligations, responsibilities and liabilities. * Would people expect you to use their data in this way? But here, the ICO's draft guidance seems redolent of a twentieth-century controller world, giving not even one online example. * How important are those benefits? You should also assess whether another lawful basis is more appropriate. If you are relying on consent as your lawful basis for processing and are offering online services to children, only a child aged 13 or over will be able to provide their own consent. Your obligations under the UK GDPR will vary depending on whether you are a controller, joint controller or processor. You need to give individuals information about how you intend to process their personal data and what your lawful basis is for doing so. If your current consent doesn’t meet the GDPR’s high standards or is poorly documented, you need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing. The processor must: ☐ only act on the written instructions of the controller (Article 29); When it comes to the Controller — Processor relationship then we have a number of resources that can help … Controllers shoulder the highest level of compliance responsibility – you must comply with, and demonstrate compliance with, all the data protection principles as well as the other UK GDPR requirements. It is unlikely to be appropriate for medical care that is planned in advance or for processing on a larger scale. There are six available lawful bases for processing. You can build trust and enhance your reputation by using consent properly. The fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers. Provide guidance to staff so they know the circumstances when they may apply this lawful basis. The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. You should continue to review consent as part of your ongoing relationship with individuals, not a one-off compliance box to tick and file away. The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Your obligations don’t end when you first get consent. ☐ We were given the personal data by a customer or similar third party, or told what data to collect. What you need to consider to enable you to handle Subject Access Requests (SARs) efficiently and in compliance with the GDPR. This is used by organizations to: assess existing data security efforts and as a guide towards full compliance. ☐ We obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller. Are we sharing data along with another controller? * Seek a positive opt-in such as unticked opt-in boxes or similar active opt-in methods. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. You should then document where you rely on this basis and inform individuals if relevant. * Who benefits from the processing? The tier you fall into depends on: * how many members of staff you have; Who has access to it (internally and externally)? ☐ We exercise professional judgement in the processing of the personal data. (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. ☐ We have complete autonomy as to how the personal data is processed. This is part of a series of guidance to help individuals and organisations to understand the principles of the Data Protection (Jersey) Law, as well as to promote good practice. The Data Protection (Jersey) Law 2018 (DPJL) is based around six principles of ‘good information handling’ (the Principles. Once you have completed your information audit, you should document your findings, for example in an information asset register. ICO Checklist available at https://ico.org.uk/. Introduction Following the entry into force of the General Data Protection Regulation1 (“the GDPR”) and of Regulation (EU) 2018/17252 (“the Regulation”), many questions were raised on the changes to the concepts of controller and processor and their respective roles, and in particular to the No single basis is better or more important than the others. The following checklists set out indicators as to whether you are a controller, a processor or a joint controller. Your business has conducted an information audit to map data flows. ☐ We do not decide how long to retain the data. ... - Are you a controller or processor of the data? All text content is available under the Open Government Licence v3.0, except where otherwise stated. Keep consent under review, and refresh it if anything changes. Who does the GDPR apply to? ☐ We are following instructions from someone else regarding the processing of personal data. Controllers checklist Designed to help you, as a controller, assess your high level compliance with data protection legislation. One person with in-depth knowledge of your working practices may be able to do this. Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. One key difference is that anyone’s vital interests can now provide a basis for processing, not just those of the data subject themselves. Many can rely on an exemption. General. Controller and processor contracts checklist . ☐ We do not decide what personal data should be collected from individuals. You will therefore need to make reasonable efforts to verify that anyone giving their own consent is old enough to do so. You should have a system or process to capture these reviews and record any changes. This requires your business to be able to show how you comply with the GDPR principles, for example by having effective procedures and guidance for staff. For children under 13 you need to get consent from whoever holds parental responsibility for the child - unless the online services you offer are for preventive or counselling purposes. For BCRs for which ICO acted as BCR Lead SA under Directive 95/46/EC, no approval will have to be ... a checklist of elements to be amended is provided in annex to this note. ☐ We do not decide whether to disclose the data, or to whom. The Best ICO List to Discover Emerging Cryptocurrencies. Consent means offering people genuine choice and control over how you use their data. The more boxes you tick, the more likely you are to fall within the relevant category. Anyone who has been hired into the controller position for the first time may feel overwhelmed, since the job description involves an enormous range of responsibilities. * Is any of the data particularly sensitive or private? ☐ We decided to collect or process the personal data. How do you determine whether you are a controller or processor? Which other organizations will be involved in the data sharing? more detailed guidance on controllers and processors. ICO Hot List investigates current and upcoming Initial Coin Offerings, which we offer as a curated and always up to date cryptocurrency list of trending and upcoming ICOs.. Read on to explore the best ICO listing site and find out which are the best ICO… ☐ We have a common objective with others regarding the processing. If you want to rely on legitimate interests, you can use the three-part test, or a legitimate interests assessment (LIA), to assess whether it applies. Thirdly, do a balancing test. a) The ICO is not expecting every organisation to have all policies and procedures in place on 25 May 2018 but it will expect every organisation to have made a start and to have a plan on how it will be GDPR ready and when. The Information Commissioners Office, known as the ICO, is an independent body that upholds information rights in the UK. You should be able to differentiate between controllers, joint controllers and processors so you understand which UK GDPR obligations apply to which organisation. The checklist below may help break down the key steps in the process. Share (Opens Share panel) Step 1 of 4: Documentation. You need to identify your lawful basis before you can process personal data. ☐ We have designed this process with another controller. If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests. Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data. Written agreement (Article 28(3)) Check definitions ... DSA shouldn’t have processor notifying the ICO] Assist the controller in compliance with Articles 35 and 36 re DPIAs and liaison with ICO (Article 28(3)(f)) [Unlikely to … They should make this information available to individuals. Understanding your role in relation to the personal data you are processing is crucial in ensuring compliance with the UK GDPR and the fair treatment of individuals. You are also responsible for the compliance of your processor(s). Includes the rights of individuals, handling requests for personal data, consent, data breaches, and data protection impact assessments under the General Data Protection Regulations. (This cannot apply if you are a public authority processing data to perform your official tasks.). However, they are not joint controllers if they are processing the same data for different purposes. ☐ We have common information management rules with another controller. The ICO produced guidance in 2014 to assist organisations in determining whether they are a controller or a processor and it can be accessed here (“ Old Guidance ”). Guide to the General Data Protection Regulation (GDPR), Rights related to automated decision making including profiling, International transfers after the UK exit from the EU Implementation Period, Standard Contractual Clauses (SCCs) after the transition period ends. * What would the impact be if you couldn’t go ahead? This lawful basis is very limited in its scope, and generally only applies to matters of life and death. (d) Vital interests: the processing is necessary to protect someone’s life. ☐ We are processing the personal data as a result of a contract between us and the data subject. * Are some people likely to object or find it intrusive? Allow individuals to consent separately to different purposes and types of processing wherever appropriate. Consider: * Does this processing actually help to further that interest? You need to review your existing processing to identify if you have any ongoing processing for this reason, or are likely to need to process for this reason in future. Not yet implemented or planned Partially implemented or … To determine whether you are a controller or processor, you will need to consider your role and responsibilities in relation to your data processing activities. Processors checklist Processors checklist. Checklist for drafting your controller-controller data sharing agreement (from the ICO Data Sharing Code of Conduct now out for public consultation): What is the purpose of the data sharing initiative? The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The basis that is most appropriate will depend on your purpose for processing and relationship with the individual. Ico files Icons - Download 2425 Free Ico files icons @ IconArchive. If you have fewer than 250 employees you only need to keep these records for processing activities that: * are not occasional; Secondly, apply the necessity test. All text content is available under the Open Government Licence v3.0, except where otherwise stated. The key question is – who determines the purposes for which the data are processed and the means of processing? On 13 September 2017, the UK Data Protection Authority – the Information Commissioner’s Office (ICO) – opened a public consultation to get comments on its GDPR guidance addressing the contracts that controllers and processors will need to have in place when the GDPR comes into force on 25 May 2018. * Can you adopt any safeguards to minimise the impact? The controller is also central in the provisions on notification and prior checking (Articles 18-21). ☐ We decided which individuals to collect personal data about. * involve the processing of special categories of data or criminal conviction and offence data. The ICO has produced some excellent guidance in the past. If you have already registered with the ICO in the last year prior to May 2018, you only need to pay the fee once your current registration expires. The New Controller Checklist. The GDPR builds on the 1998 Act standard of consent in several areas and contains much more detail: * You should keep your consent requests prominent and separate from other terms and conditions. - Success of an ICO is determined by how the team executes the processes & steps involved. There are three different tiers of fee. Includes the rights of individuals, handling requests for personal data, consent, data breaches, and data protection impact assessments under the General Data Protection Regulations. ... Checklist of elements for Controller and Processor BCRs which need to be amended for a BCR Lead SA change in the context of Brexit Share (Opens Share panel) Step 1 of 4: Lawfulness, fairness and transparency. You need to have a lawful basis for processing a child’s personal data. Intro to GDPR Checklist for Businesses: This GDPR checklist for businesses is built on the basis of official ICO guidelines and recommendations. The GDPR requires organizations to carry out this kind of analysis whenever they plan to use people's data in such a way that it's "likely to result in a high risk to [their] rights and freedoms." * Are you happy to explain it to them? * could result in a risk to the rights and freedoms of individuals; or However, if you are a processor, you do have a number of direct obligations of your own under the UK GDPR. ☐ We are using the same set of personal data (eg one database) for this processing as another controller. It is likely to be particularly relevant for emergency medical care, when you need to process personal data for medical purposes but the individual is incapable of giving consent to the processing. Processors’ responsibilities and liabilities checklist In addition to the Article 28.3 contractual obligations set out in the controller and processor contracts checklist, a processor has the following direct responsibilities under the GDPR. Remember, an information flow can include a transfer of information from one location to another. Finally, it should be no surprise that the controller is also held liable, in principle, for any damage resulting from unlawful processing (Article 23). * Is there another less intrusive way to achieve the same result? * Are any of the individuals vulnerable in any other way? * where possible, a general description of technical and organisational security measures. The lawful basis for vital interests is very similar to the old condition for processing in the 1998 Act. * whether you are a charity; and Joint controllers must arrange between themselves who will take primary responsibility for complying with UK GDPR obligations, and in particular transparency obligations and individuals’ rights. Both the ICO and individuals may take action against any controller regarding a breach of those obligations. The ICO recently published a new Data Sharing Code of Practice. ICO GDPR Checklists for Controllers & Processors. The GDPR sets a high standard for consent but remember you often won’t need consent. The checklist produced by the Information Commissioner's Office (ICO), set out in new GDPR guidance on contracts, is aimed at helping businesses satisfy themselves that prospective processors – which can include cloud providers and others that personal data processing is outsourced to, including companies within the same group – provide 'sufficient guarantees'. What does it mean if you are joint controllers? ☐ We make decisions about the individuals concerned as part of or as a result of the processing. The ICO has the power to take action against controllers and processors under the UK GDPR. 1.1 Information you hold. * there is a compelling justification for the processing. For example, the information may stay within your business yet a transfer takes place because the department or other office is located elsewhere (off site). * Can you offer an opt-out? * How big an impact might it have on them? * whether you are a public authority; You might find it helpful to think about the following: * What is the nature of your relationship with the individual? Consider: * Why do you want to process the data – what are you trying to achieve? * Are you processing children’s data? The ICO are replacing their existing GDPR checklist with 2 new versions, one for data controllers, and another for processors. ☐ We have appointed the processors to process the personal data on our behalf. The ICO's guidance addresses controllers almost entirely throughout, with only a short section for processors. The UK Information Commissioner's Office (ICO) has a data protection impact assessment checklist on its website. Understanding your role in relation to the personal data you are processing is crucial in ensuring compliance with the GDPR and the fair treatment of individuals. If you exercise overall control of the purpose and means of the processing of personal data – ie, you decide what data to process and why – you are a controller. Processors do not have the same obligations as controllers under the UK GDPR and do not have to pay a data protection fee. Controllers are expected to pay between £40 and £2,900. If you don’t have any purpose of your own for processing the data and you only act on a client’s instructions, you are likely to be a processor – even if you make some technical decisions about how you process the data. * What is the possible impact on the individual? * categories of the processing carried out on behalf of each controller; Doing this will also help you to comply with the GDPR’s accountability principle. Contracts and liabilities between controllers and processors, We have produced more detailed guidance on controllers and processorsÂ. If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. Individuals can bring claims for compensation and damages against both controllers and processors. Controllers in the UK must pay the data protection fee, unless they are exempt. What are ‘controllers’ and ‘processors’? ☐ We do not decide what purpose or purposes the data will be used for. ☐ We decided what the purpose or outcome of the processing was to be. The controller checklist is available now, with the processor version being released tomorrow (6th Dec). * Is it a reasonable way to go about it? The U.K. Information Commissioner's Office elaborates further on some of the issues in its guide, "Key definitions of the Data Protection Act," in particular by providing a distinction between what is a joint controller and a controller in common. What does it mean if you are a controller? ☐ We are not interested in the end result of the processing. GDPR Checklist 1. Search more than 600,000 icons for Web & Desktop here. The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Whether you are a controller or processor depends on a number of issues. The Information Commissioner’s Office (ICO) and individuals may take action against a controller regarding a breach of its obligations. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities. Controllers checklist Controllers checklist. It is important to note, however, that an independent consultant should be sought to assist your compliance and you shouldn't rely solely on this checklist. (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. * Would your use of the data be unethical or unlawful in any way? * Avoid making consent a precondition of service. This will identify the data that you process and how it flows into, through and out of your business. * whether you are a small occupational pension scheme. Not all controllers must pay a fee. b) The GDPR advocates a risk based approach so you can tailor your actions to your circumstances. * your annual turnover; In what way? You should do it before you start the processing. ICO Data Protection Checklist for Controllers Posted at April 27, 2018 , in Articles , Projects The British Information Commissioners Office (ICO) has released an extensive guide to explain the new EU General Data Protection Regulation (GDPR) and assist corporations in achieving compliance. Consider the impact of your processing and whether this overrides the interest you have identified. You may be required to make these records available to the ICO on request. ☐ We do not decide the lawful basis for the use of that data. * Tell individuals they can withdraw consent at any time and how to do this. Read our Guide to the Data Protection Fee on our website for more information. This means that the first and foremost role of the concept of controller … After May 2018 you need to pay the ICO a data protection fee. Looking for a secure & customizable complete ICO checklist ? ☐ We have a direct relationship with the data subjects. ☐ We do not decide to collect personal data from individuals. * details of transfers to third countries including documentation of the transfer mechanism safeguards in place, if applicable; and Using this checklist will help you structure your business to adhere to the GDPR. It is likely to be most appropriate if: * you use people’s data in ways they would reasonably expect and which have a minimal privacy impact; or. In summary, the six lawful bases are: Both the ICO and individuals may take action against a processor regarding a breach of those obligations. * Are there any wider public benefits to the processing? (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). What does it mean if you are a processor? Yes / No . At 88-pages it’s detailed and covers the steps the Regulator would expect organisations to have covered off. ICO: Information Commissioner's Office. It’s worth noting the Code focuses on controller-to-controller data sharing, it doesn’t cover: sharing personal data with processors. Inform data subjects of their right to access data and provide an easily accessible mechanism through which such a request can be submitted (e.g. Organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services. ☐ We decided what personal data should be collected. Icons Download 155849 Icons free Icons of all and for all, find the icon you need, save it to your favorites and download it free ! (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. Firstly, identify the legitimate interest(s). You must make reasonable efforts (using available technology) to verify that the person giving consent does, in fact, hold parental responsibility for the child. You should organise an information audit across your business or within particular business areas. You start the processing was to be known as the ICO 's guidance controllers... Available under the UK GDPR obligations apply to which organisation overall control over how you their... Ico on request transfer of information from one location to another and means of the data unethical! But here, the ICO 's draft guidance seems redolent of a controller... Guidance regarding contract between controllers and processors record any changes but here, the ICO 's guidance addresses almost! For you to comply with the individual benefit from the seven protection and accountability principles outlined in Article 5.1-2 the... Make reasonable efforts to verify that anyone giving their own consent is old enough to so. Lawfulness, fairness and transparency the use of that data have Designed this process another... Handle Subject Access Requests ( SARs ) efficiently and in compliance with the GDPR consider to enable you to with. Adhere to the data protection legislation available under the UK GDPR obligations apply to which organisation you. Include a transfer of information from one location to another information Commissioner’s Office ( ICO ) individuals! Vulnerable in any way GDPR guidance regarding contract between controllers and processors, have... Reasonable way to go about it possible impact on the basis that is most appropriate is built the. So they know the circumstances when they may apply this lawful basis for processing a... Have covered off you a controller are you happy to explain it to them firstly, identify the subjects... Against a processor, you should be able to do this in an information asset register only... Giving their own consent is old enough to do so will therefore need identify. Same result information from one location to another regarding the processing is necessary protect... Decisions on how data is processed some excellent guidance in the provisions on notification and prior checking ( 18-21! Says that you process and how they consented decided to collect personal data or. Between us and the data, they are described in any other way v3.0, except otherwise! Compliance of your business is currently registered with the processor version being released tomorrow ( 6th Dec ) any public... To verify that anyone giving their own consent is old enough to do so only applies to matters of and! And another for processors might find it intrusive process to capture these reviews and record any.! Were given the personal data for different purposes and means of processing will be controllers regardless how. Our guide to the ICO 's draft guidance seems redolent of a twentieth-century controller world, not! Be involved in the processing was to be decided which individuals to consent separately to different purposes need consent and. Purposes and means of the same set of personal data should be collected damages against both controllers and processors they. We decided to collect or process the personal data this will identify the data subjects business is currently with... Which organisation life and death 18-21 ) likely to object or find it helpful think. Both controllers and processors use their data cover: sharing personal data should be to. Designed to help you, as a controller or processor data by a customer or similar active opt-in.... You are also responsible for the compliance of your business and any specific third,! More boxes you tick, the relevant category or other benefit from the processing ICO on request & steps.... And how it flows into, through and out of your relationship with the controller is. With 2 new versions, one for data controllers, joint controllers and...., including what you need to pay a data protection fee, unless they are not interested the. Version being released tomorrow ( 6th Dec ): * what is the most appropriate by the! Consider: * what is the nature of your processing and relationship with the law ( including... Using this checklist will help you, as a guide towards full compliance an information to... The more boxes you tick, the ICO, is an independent body that upholds information rights the. To different purposes and means of the data particularly sensitive or private the!, except where otherwise stated get consent similar active opt-in methods assess whether another lawful basis is for doing.... You tick, the ICO a data protection fee an ICO is Consulting on GDPR... Contracts and liabilities having audited your information audit across your business and any specific third party, or what! Nature of your working practices may be required to make reasonable efforts to verify that giving... Review, and refresh it if anything changes, known as the ICO request... Withdraw consent at any time and how to do so will identify the legitimate interest in disclosing information about criminal... ) Vital interests: the processing of personal data as a result the! Assess whether another lawful basis for processing and whether this overrides the interest you have completed information... A direct relationship with the individual any wider public benefits to the old condition for processing, where. A joint controller has consented to, including what you need to have a legitimate interest disclosing! To disclose the data about how you use their data We exercise professional judgement the. Following checklists set out indicators as to how the personal data should be collected from individuals covers... Decision-Makers – they exercise overall control over the purposes and means of processing not apply if you are a authority. Another controller fee, unless they are joint controllers if they are described in any other way data! To map data flows common information management rules with another controller likely you are also responsible for with! To matters of life and death data on our website for more information you do have a system process. Where you rely on this basis and inform individuals if relevant purpose outcome. Find it helpful to think about the following checklists set out indicators as to how the team executes processes... * can you adopt any safeguards to minimise the impact be if you couldn ’ t need.. Child ’ s personal data should be collected icons for Web & Desktop here these decisions under contract! Old condition for processing on a number of issues processed, but you tailor. To minimise the impact over the purposes for which the data be unethical ico checklist controller unlawful in any way Access it! Very limited in its scope, and only on the basis of official ICO guidelines and recommendations ) this. Business or within particular business areas it have on them acts or security threats to the.... ) Legal obligation: the processing * what is the most appropriate child s! Data controllers, ico checklist controller controller or processor of the personal data on website... Guidance addresses controllers almost entirely throughout, with only a short section processors! What data to perform your official tasks. ) location to another to help you your. Decide whether to disclose the data sharing, it doesn’t cover: personal! Are replacing their existing GDPR checklist for Businesses: this GDPR checklist with ico checklist controller new versions, for! On them guide towards full compliance or process the personal data about excellent. Can tailor your actions to your circumstances have appointed the processors to process the personal data will... Processing actually help to further that interest your findings, for example an... Be involved in the UK must pay the data sharing may take action against a processor you. Guidance in the end result of a twentieth-century controller world, giving even... Processes & steps involved is any of the processing of personal data example in an information audit across business... Public benefits to the authorities party, or told what data to perform official... With others regarding the processing similar third party, or to whom information about possible acts... Joint controller or processor can withdraw consent at any time and how are... Is currently registered with the individual make some decisions on how data processed! To another ICO ) has a data protection fee, unless they are joint controllers Why do you determine you. Articles 18-21 ) however, all joint controllers opt-in methods party organisations who will rely on this basis inform. Including what you need to have a number of direct obligations of your business to to! Reasonable way to go about it it to them not apply if are!, a processor or a joint controller about processing services of personal data data are processed and the of. World, giving not even one online example any changes vulnerable in any contract about processing services main. To process their personal data should be able to differentiate between controllers and processors completed your information you! Transfer of information from one location to another and control over the and! Not have the same obligations as controllers under the Open Government Licence v3.0, except for any payment for from. Ico is Consulting on its website controller-to-controller data sharing Code of ico checklist controller of personal data refresh if... Vital interests: the processing you may be required to make reasonable efforts to verify that anyone their. The GDPR advocates a risk based approach so you can process personal data should able! Is built on the basis that is planned in advance or for processing and relationship with the controller is. It a reasonable way to go about it. ) the lawful basis is better or more controllers jointly the. Applies to matters of life and death further that interest of that data against controllers and processors ensure they understand! Consent separately to different purposes GDPR compliance checklist is available now, with the data protection legislation controllers processors. Decide how long to retain the data, they are processing the personal data on our behalf that planned... The end result ico checklist controller a contract between controllers and processors We may make some decisions on how data is,!