New EU Data Protection Law Will Impose Extra Obligations on IT Contractors

IT contracting in the UK could be about to get a whole lot more complicated if proposed new data protection legislation makes it through the European Parliament and European Council.

Presently the processing of personal data is governed in the UK by the Data Protection Act 1998 (DPA). If the new proposals become law, that Act will be supplanted – and the pending EU legislation will impose a range of new obligations (with hefty fines for non-compliance) on contractors working in the IT skills market.

At the moment, the DPA imposes obligations on data ‘controllers’ only. These are the parties responsible for determining the manner and purposes of personal data processing – in other words, the contractor’s clients. Currently, the only obligation about data processing for ‘processors’ (contractors) is to ensure full compliance with the terms of their contract with the client. That could well be about to get a good deal more complex, according to information law specialist Olivia Whitcroft.

In an article for ContractorUK, Ms Whitcroft advises that contractors will soon be directly responsible for protecting the personal data they process from misuse, damage or loss. They will also be obliged to notify controllers (clients) immediately of any data breaches – at present under UK law this is a voluntary action and tends to occur only in the most serious cases. Fines will be levied for failures to comply.

The law, if adopted, won’t come into force for two years. Ms Whitcroft advises: “IT contractors can be thinking about their own potential compliance requirements, as well as how they could help clients with the development and procurement of compliant technology and systems.”