You may be ready for the GDPR – but are your commercial contracts?
If you are not aware of the imminent coming into force of the General Data Protection Regulation (GDPR), just check your Inbox. You will have no doubt received an influx of communications from companies whose email lists you subscribe to, asking you to confirm that you wish to continue receiving communications from them, or other businesses you have relationships with asking you to update your contact details.
From 25 May 2018, all public, private and third sector organisations that handle personal data within the European Union will need to comply with the GDPR or face the possibility of a financial penalty. And for many STEM-based enterprises, reviewing, re-negotiating and updating their commercial contracts are the last steps in a long journey to fulfilling their compliance obligations.
Your commercial contracts with suppliers and customers will need to be GDPR compliant. Lip-service is not enough. Neither is merely implementing widespread organisational change. Your contracts themselves must demonstrate that your business is committed to protecting personal data and supporting the rights of data owners and data subjects.
Incorporating GDPR Principles into your Contracts
The GDPR will alter your customers’ expectations as to how you handle their personal data. Article 5 sets out six principles of the Regulations, stating that data must be:
- Processed fairly, lawfully and transparently;
- Collected for specified legitimate purposes only;
- Adequate, relevant, and limited to what is necessary for the intended purpose;
- Accurate and kept up to date;
- Stored for no longer than is necessary; and
- Processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.
Every supplier contract your organisation has must be examined, perhaps renegotiated, and ultimately updated to ensure that each provider deals with personal data in a legally compliant manner. Both Data Controllers and Processors need to be familiar with the Data Protection Bill 2017 which, when it hits the statute-books, will bring the GDPR into domestic law.
Updating your Contracts – the Steps Required
The first step you took when beginning your GDPR compliance project was probably to create a ‘data map’ to understand where personal data was held within your organisation and how up-to-date it was. A similar exercise must be done with all your existing supplier and customer contracts. All organisations that you require to deal with personal data on your behalf need to be identified, as do any third parties they subcontract the data processing function to.
Make sure the provisions in the agreement cover GDPR requirements
Under section 59 (5) of the Data Protection Bill, once suppliers are identified, a written agreement needs to be put in place identifying them as a Data Processor. In addition, checks need to be made that they too have an agreement in place with any third parties who are processing data of which you are identified as the Data Controller.
The agreement needs to set out:
- the subject-matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subjects involved; and
- the obligations and rights of the Data Controller and Data Processor.
In addition, the agreement needs to state that the Data Processor must:
- only act on the instructions of the Data Controller;
- ensure that those who process personal data have keep it confidential;
- work with the Data Controller to ensure that they comply with the GDPR;
- delete or return originals and copies of any personal data belonging to the Data Controller at the end of the relationship;
- be able to show the Data Controller their organisation’s policies and procedures relating to GDPR compliance; and
- ensure all agreements with subcontractors comply with the GDPR.
If the Data Processor cannot or will not agree to these provisions, they should not be engaged. It’s as simple as that! In some cases, that may mean abandoning a project or finding another party to collaborate with who is committed to legally compliant data protection.
Identify where liability for GDPR breaches falls
Data Processors and Data Controllers are both potentially liable to civil action and criminal proceedings if they breach the GDPR. Therefore, it is crucial to set out clearly in all commercial contracts the responsibilities of both parties to safeguard personal data and to safeguard the rights of data subjects. Owner-managers of STEM companies need to review all contracts entered into prior to 25 May 2018, renegotiate where liability falls, and incorporate necessary indemnity provisions. If this is not done, any existing contractual provisions that conflict with the GDPR will be overridden.
Revising and renegotiating commercial contracts to ensure compliance with the GDPR and to protect your interests when it comes to liability for any breach, is the last hurdle in achieving compliance. Unfortunately, it can also be the most time-consuming and stressful.
The key to making the process as smooth as possible is to have a thorough understanding of your compliance obligations and then to seek expert advice to assist with the reviewing and drafting of your contracts.
Technical Terms provides in-depth legal advice on drafting and negotiating commercial contracts. For further information to ensure your agreements are compliant with the GDPR, please contact us on 01904 899794.