The ICO and Seven Shades of Grey

If you’ve nothing to do at lunchtime and you’re an experienced DP person try the ICO quiz on the difference between Data Controllers and Data Processors. You can find it here. After all it’s not a hard quiz. Data Controllers determine the purpose and own the data; data processors just do as they’re told. For years we’ve had this easy to understand relationship and many organisations have outsourced some work involving personal data, drawn up the contract, monitored the performance of it and we all knew where we were. Data Controllers were liable for any problems and Data Processors just did as they were instructed.

Recent guidance from the ICO changes this. Instead of clear yes/no and black/white definitions the commissioner recommends that each relationship with another person processing your data is examined to see how much influence the other person has over how the data is processed. As a result there are no easy answers. Just some shades of grey.

If you are eager to do the quiz and go for it without reading the guidance prepare yourself for a shock. Better DP experts than yourself have taken the test and not performed at all well.

The guidance is well meaning but bends over backwards to accommodate every possible possibility that it’s not that useful.

Image credit www.jimbanks.com

%d bloggers like this: