From the 25th May 2018, the new General Data Protection Regulation (GDPR) will apply.
It is directly binding on Member States without any requirement for implementation into national law. The GDPR will strengthen the data protection rights of all EU citizens, introducing a new sanctions regime and new requirements that will increase the regulatory burden on controllers and processors.
The GDPR will apply to any public or private organisation processing personal data and will impose direct statutory obligations on processors for the first time.
A key requirement of the GDPR concerns the contracts between controllers and processors, this includes the terms under which Jisc provides its services.
Jisc offers around 100 specific services to its members and other customers. In delivering the majority of these services, Jisc is the controller of any personal data that is provided by the customer/user. Where Jisc is the controller of any personal data we are required to display a privacy notice compliant with the GDPR.
In a small number of cases we will also be processing personal data on behalf of an organisation (or individual) acting as a controller.
Where a controller engages a processor to process personal data on its behalf, such processing must be governed by a contract (eg service terms) which includes provisions on various matters, including:
- The description of the personal data being processed
- The instructions given by the controller to processor in relation to the processing of the personal data
- Arrangements around reporting and assistance in relation to a personal data breach
- Sub-processing of the personal data by a further processor
- Return or deletion of the personal data at the end of the service provision under the contract
What have we done?
We have undertaken a comprehensive review of all of our services and the associated service terms and privacy notices (and are continuing to do so) to assess the data processing relationship between Jisc and the service user – ie where we are a controller; where we are processing personal data on behalf of another organisation acting as controller; and where we provide services to individuals (or "data subjects" in GDPR terms).
In that regard, we are, as necessary, updating our services terms and privacy notices to ensure these are compliant with our obligations under GDPR.
If you have any further queries please send an email to: firstname.lastname@example.org, when contacting us please be specific about the service you are referring to.
A note about the Janet Network service
The position is not straightforward as to whether a communications network is a processor for the packets it transmits and the GDPR is not completely clear on this point. We are working on this area as part of our own GDPR compliance programme and we will of course inform members and customers if there are any changes required to our Janet Network service terms.
Andrew Cormack's blog post explains our current thinking on this point.