Website Providers: What if customers wont pay for GDPR updates?

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by BrighterTools, Jan 4, 2018.

  1. BrighterTools

    BrighterTools UKBF Regular Full Member

    160 34
    Hi All,

    If I am a website supplier and provide sites that have contact forms, these need to be updated for GDPR, what if a customer does not want to pay for this? I assume they be liable for any GDPR issues as they are the Data Controller?

    Also in this scenario, as a website provider I would be a Data Processor that is processing data on behalf of my client, The data controller.
    If the website has no means of deleting data permanently or facilities to extract all the personal data including last IP addresses. I assume we can charge our customer for this, as this is additional processing, we are not bound to the end user as we are not the data controller?

    Your thoughts..
     
    Posted: Jan 4, 2018 By: BrighterTools Member since: Jul 27, 2008
    #1
  2. GraemeL

    GraemeL Pain in the neck? Full Member - Verified Business

    4,950 1,061
    Join FSB and get free legal advice on this, rather than the educated guesswork that we might give you?
     
    Posted: Jan 4, 2018 By: GraemeL Member since: Sep 7, 2011
    #2
  3. Andrew Smith Corpdata

    Andrew Smith Corpdata UKBF Newcomer Free Member

    10 6
    Under GDPR there is an obligation to have a contract between Porcessors and Controllers that specify all sorts of things (such as securing data suitably), but importantly also to "only act on the written instructions of the controller" (Article 29) so . . . Get the contract in place detailing what you must do explicitly, and then do what the client has told you to do (i.e. either pay you to help them do it right / or explicitly do it badly - but at their risk)
    Hope that helps
     
    Posted: Jan 12, 2018 By: Andrew Smith Corpdata Member since: Jan 12, 2018
    #3
  4. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    82 22
    Although obligations now sit with the processor (i.e. you) as well as the controller, it is still their responsibility to stipulate how the data is managed (usually via contract as already mentioned). You should however keep an asset register to document who's data is being processed where etc along with other requirements such as retention. This will help you remain compliant both with legislation and contractual obligations. If you don't have the requirements in contractual terms currently, you should push out communications to the controller asking for their requirements, they should also stipulate the 'lawful basis for processing' so that you can record this in your asset register. Really the controllers should already be considering this and coming to you about it - but it seems common at the moment that they are sitting tight! :)
     
    Posted: Jan 29, 2018 By: Simon Plummer Member since: Dec 6, 2017
    #4