We process data on behalf of clients. As part of GDPR preparation we are understanding the basis for processing. What I expected to see was an influx of customers advising of the basis we are processing the information for on their behalf - guess what, we aren't. As a processor are we responsible for obtain this detail from the controller? Do we just 'decide' which basis applies in the absence of anything from the controller? If we don't hear, are we still compliant as an organisation? (as long as we can prove attempts at finding out) It is specifics like that that are not covered and truly wont be proven without case law in the future. But it is difficult to prepare without more details guidance in this area. My experience is that the ICO won't answer specific queries, I may stand corrected of course - what are other peoples experiences?