Hacker News new | ask | show | jobs
by TimLangley 2148 days ago
Slightly nitpicky but the 72 hour piece is wrong here

A data controller has 72 hours to notify the ICO (or other supervisory authority). A data processor has no such obligation [unless specified as part of the data processing agreement DPA]

Most DPA will state asap s.t the controller can notify

But in this instance Blackbaud would almost certainly be a processor

(It’s a neat [nasty] little loophole
1 comments
jacquesm 2148 days ago
Article 28 makes it a requirement that the processor and the controller arrange for this notification requirement to be arranged between them. A failure to do so by the processor would likely make them liable. The processor is only able to discharge itself from this liability if they notify the controller promptly.

For more reading on this:

https://ico.org.uk/for-organisations/guide-to-data-protectio...

link