A specialist in information law has alerted contractors working in the IT skills market to the pending impact of a proposed new data protection directive from the EU. If passed by the European Parliament and the European Council, the law will impose new obligations on IT contractors, which could result in fines for failure to comply. IT contracting could be about to get a more complicated.
Until now, the processing of personal data has been governed by the UK’s Data Protection Act of 1998, which imposes obligations on data ‘controllers’ only (these are usually the IT contractor’s clients – the party determining the purposes and manner of personal data processing). Specialist lawyer Olivia Whitcroft warns that the new EU law will place new responsibilities for compliance on ‘processors’, too (that is IT contractors to you and me).
Writing in ContractorUK, Ms Whitcroft explains that IT contractors will be obliged to protect the data that they use from loss, damage or misuse. Failure to comply will leave the contactor open to punitive action by the regulator, the controller (end client) and/or the subject of the data.
In other words, you not only have to ensure that you are complying with the terms of your contract but you also have direct responsibilities for the data you process. This includes an obligation to notify the controller promptly should a security breach occur (currently, notification of data breaches in the UK is voluntary and only tends to occur when serious breaches arise).
The rules won’t become law for at least two years but Ms Whitcroft advises IT contractors to think now about their future compliance requirements.