GDPR - You reviewed your procedures. But what about your contracts?
Remember 25 May 2018? That's when the GDPR came in to force. You worked hard. You went on that training course. You made a real effort to make your processes and procedures "GDPR compliant". But did you review your commercial contracts?
All public, private and third sector organisations that handle personal data within the European Union must comply with the GDPR or face the possibility of a financial penalty. In the UK, this can be imposed by the Information Commissioner. And for many STEM-based enterprises, reviewing, re-negotiating and updating their commercial contracts are the last steps in a long journey to fulfilling their compliance obligations.
Your commercial contracts with suppliers and customers now need to be GDPR compliant. Lip-service is not enough. Neither is merely implementing widespread organisational change. Your contracts themselves must demonstrate that your business is committed to protecting personal data and supporting the rights of data owners and data subjects.
Incorporating GDPR Principles into your Contracts
The GDPR will alter your customers’ expectations as to how you handle their personal data. Article 5 sets out six principles of the Regulations, stating that data must be:
- Processed fairly, lawfully and transparently;
- Collected for specified legitimate purposes only;
- Adequate, relevant, and limited to what is necessary for the intended purpose;
- Accurate and kept up to date;
- Stored for no longer than is necessary; and
- Processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.
Every supplier contract your organisation has must be examined, perhaps renegotiated, and ultimately updated to ensure that each provider deals with personal data in a legally compliant manner. Both Data Controllers and Processors need to be familiar with the Data Protection Bill 2018 which brought the GDPR into domestic law.
Updating your Contracts – the Steps Required
Identification
The first step you took when beginning your GDPR compliance project (you did do one, didn't you?) was probably to create a ‘data map’ to understand where personal data was held within your organisation and how up-to-date it was. A similar exercise must be done with all your existing supplier and customer contracts. All organisations that you require to deal with personal data on your behalf need to be identified, as do any third parties they subcontract the data processing function to.
Make sure the provisions in the agreement cover GDPR requirements
Under section 59 (5) of the 2018 Act, once suppliers are identified, a written agreement needs to be put in place identifying them as a Processor. In addition, checks need to be made that they too have an agreement in place with any third parties who are processing data of which you have identified as the Controller.
The agreement needs to set out:
- the subject-matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subjects involved; and
- the obligations and rights of the Controller and Processor.
In addition, the agreement needs to state that the Processor must:
- only act on the instructions of the Controller;
- ensure that those who process personal data have keep it confidential;
- work with the Controller to ensure that they comply with the GDPR;
- delete or return originals and copies of any personal data belonging to the Controller at the end of the relationship;
- be able to show the Controller their organisation’s policies and procedures relating to GDPR compliance; and
- ensure all agreements with subcontractors comply with the GDPR.
If the Processor cannot or will not agree to these provisions, they should not be engaged. It’s as simple as that! In some cases, that may mean abandoning a project or finding another party to collaborate with who is committed to legally compliant data protection.
Identify where liability for GDPR breaches falls
Processors and Controllers are both potentially liable to civil action and criminal proceedings if they breach the GDPR. Therefore, it is crucial to set out clearly in all commercial contracts the responsibilities of both parties to safeguard personal data and to safeguard the rights of data subjects. Owner-managers of STEM companies need to review all contracts entered into prior to 25 May 2018, renegotiate where liability falls, and incorporate necessary indemnity provisions. If this is not done, any existing contractual provisions that conflict with the GDPR will be overridden.
Final Words
Revising and renegotiating commercial contracts to ensure compliance with the GDPR and to protect your interests when it comes to liability for any breach, is the last hurdle in achieving compliance. Unfortunately, it can also be the most time-consuming and stressful.
Don't stress.
The key to making the process as smooth as possible is to have a thorough understanding of your compliance obligations and then to seek expert advice to assist with the reviewing and drafting of your contracts.
Technical Terms provides in-depth legal advice on drafting and negotiating commercial contracts. For further information to ensure your agreements are compliant with the GDPR, please contact us on 01904 899794 or message us if you prefer.
Please visit our website.