Under the General Data Protection Regulation (GDPR), which will apply to all EU member states from 25 May 2018, data processors have new responsibilities and liabilities in their own right, and both controllers and processors may be liable to pay damages or be subject to fines and penalties. Also, the written contracts between controllers and processors must contain specific detailed terms.
The Information Commissioner's Office (ICO) is running a short consultation on draft guidance on the responsibilities and liabilities of processors under the GDPR and what must be included in written contracts. Responses must be submitted by 10 October 2017.
The Government intends that the GDPR will remain on the UK statute books after Brexit. To that end, the Data Protection Bill 2017 was introduced to the House of Lords on 13 September 2017. The Bill, which is due to come into force in May 2018, will replace the Data Protection Act 1998 and incorporate the GDPR into national law so that the rules continue to apply after the UK has left the EU.