Common use of GDPR Cont Clause in Contracts

GDPR Cont. SIROs and IAOs Senior Information Risk Owners (SIROs) and Information Asset Owners (IAOs) need to assure themselves that they have taken reasonable steps to comply with the GDPR principles. IAOs need to consider the sensitivity and threats to their information and to identify those instances where access to personal information must be no wider than necessary for the efficient conduct of a customer’s business. The “need to know‟ principle must be used wherever personal information is collected, stored, processed, destroyed or shared within government and when dealing with external public or private sector organisations, and effective procedural controls put in place. The Information Commissioners Office (ICO) regulates data protection in the UK. They offer advice and guidance, promote good practice, carry out audits, consider complaints, monitor compliance and take enforcement action where appropriate. Contractor In the event of a Data Breach the Contractor should: 1. Notify the Customer with 24 hrs of the incident 2. Notify the following Customers Contacts with the details of the data breach and actions being taken. Customer Title* Name Email Telephone Chief Technology Officer: Accountable for all aspects of the Company’s Information Security Senior Information Risk Owners (SIROs) Information Governance (Information Asset Owners (IAOs)) *Customer job titles can be amended as appropriate to their force.

GDPR Cont. SIROs and IAOs Senior Information Risk Owners (SIROs) and Information Asset Owners (IAOs) need to assure themselves that they have taken reasonable steps to comply with the GDPR principles. IAOs need to consider the sensitivity and threats to their information and to identify those instances where access to personal information must be no wider than necessary for the efficient conduct of a customer’s business. The “need to know‟ principle must be used wherever personal information is collected, stored, processed, destroyed or shared within government and when dealing with external public or private sector organisations, and effective procedural controls put in place. The Information Commissioners Office (ICO) regulates data protection in the UK. They offer advice and guidance, promote good practice, carry out audits, consider complaints, monitor compliance and take enforcement action where appropriate. Contractor In the event of a Data Breach the Contractor should: 1. Notify the Customer with 24 hrs of the incident 2. Notify the following Customers Contacts with the details of the data breach and actions being taken. 3. The Contractor must tell the controller immediately if it is asked to do something infringing the UK GDPR or other data protection law of the EU or a member state Customer Title* Name Email Telephone Chief Technology Officer: Accountable for all aspects of the Company’s Information Security Senior Information Risk Owners (SIROs) Information Governance (Information Asset Owners (IAOs)) *Customer job titles can be amended as appropriate to their force.