Our site uses cookies

I agree Our site saves small pieces of text information, called “cookies” on your device. Find out more in our cookie policy. You can disable the usage of cookies by changing the settings of your browser. By continuing to browse the site you are agreeing to our use of cookies.

GDPR: Key steps to ensuring your supplier contracts are compliant


The EU General Data Protection Regulation (GDPR) has leapfrogged to the top of the risk agenda for many organisations as the 25 May 2018 deadline approaches. While some businesses may be ahead of the curve in planning for the new legislation, others are wondering where to begin in dealing with the large volume of supplier contracts that will need to be made GDPR compliant by the deadline date.   

The key purpose of GDPR is to increase and protect the rights of EU data subjects by creating clear channels of accountability over data processing. The new data protection laws will extend to any organisation that collects or processes the personal data of EU residents – regardless of whether the organisation is based in the EU.

The EU General Data Protection Regulation (GDPR) has leapfrogged to the top of the risk agenda for many organisations as the 25 May 2018 deadline approaches.

Contracts with third-party suppliers that have access to EU personal data will need to be reviewed and addressed to ensure they meet GDPR requirements or organisations risk paying substantial penalties for non-compliance of up to €20 million or 4% of annual global turnover – whichever is the higher.

Significant risk to data controllers

Under GDPR the burden for personal data protection lies primarily with data ‘controllers’ or those entities that ‘own’ personal data and make decisions over how it’s processed – a significant change from the current UK Data Protection Act.

Controllers will be responsible for compliance with GDPR’s processing rules and will be held liable even when another organisation or data ‘processor’ is contracted to carry out these activities. This is not to say that processors are off the hook. Processors have additional responsibilities under GDPR and face greater liability for non-compliance or where they act beyond the scope of authority agreed with the controller.

Nonetheless, increased liabilities on controllers mean it is crucial for data owners to urgently review their external agreements with those third-party suppliers that have access to EU personal data to ensure they are GDPR compliant.

Implementing risk measures

There are several steps that organisations will need to follow when reviewing and addressing supplier contracts to ensure they meet GDPR requirements.

The first is to establish which suppliers the new GDPR rules affect and desired outcomes in terms of contractual relationships. Categorise contracts on this basis, prioritising those suppliers that are considered business critical. An overarching treatment strategy for each category will help to determine how contracts are managed, as well as informing any subsequent negotiation process.

Penalties for non-compliance can be up to €20 million or 4% of annual global turnover – whichever is the higher.

Engage with suppliers to agree new terms and conditions. Suppliers may want to discuss specific agreement clauses and push back on proposed limits of liability, indemnities and other similar clauses to address the new risks. They may also want to renegotiate commercial terms to cover increased compliance costs and greater risks. Where contractual negotiations are required, aim to deliver a signed agreement or implement alternative strategies as needed.

Finally, in addition to addressing supplier contracts it is essential that data controllers have adequate internal processes in place. Among the factors to consider are the need for detailed record-keeping procedures and whether internal data protection policies need to be updated ahead of the new legislation coming into effect.

Next steps

The introduction of GDPR is imminent. The sheer volume of supplier contracts that some organisations will need to deal with in what is now a relatively short space of time means doing nothing is no longer an option. The potential consequences of inaction include severe fines and penalties, breach of contract with suppliers and customers, a ban on data processing activities, not to mention significant reputational damage. The time to act is now.


For more information, please contact:
James Cunningham
Principal
Efficio
+44 (0)7940 796 825
james.cunningham@efficioconsulting.com

Contract Remediation Service

Contracts with suppliers that have access to EU personal data will need to be reviewed and addressed ahead of the introduction of the EU General Data Protection Regulation (GDPR) in May 2018. Failure to comply could lead to substantial penalties. We are working with businesses to help them understand the process required to ensure their supplier contracts are GDPR compliant.

Find out more
About the Author

James Cunningham Principal

Risks of contract separation in financial services M&A
Insight
Risks of contract separation in financial services M&A

Untangling the supply chain of a financial institution as it undergoes a restructure is a hugely complex process

3 M&A contract separation challenges and how to fix them
Guide
3 M&A contract separation challenges and how to fix them

Recognising the common pitfalls associated with contract separation in financial services restructuring will help you plan ahead and increase your chances of a more streamlined transaction.

What Neil Sedaka teaches us about commercial separation
Opinion
What Neil Sedaka teaches us about commercial separation

After the global financial crisis in 2008, the pressure on financial institutions to scale down their operations has been inescapable.

Related Expertise