The EU General Data Protection Regulation (GDPR) has leapfrogged to the top of the risk agenda for many organizations as the 25 May 2018 deadline approaches. While some businesses may be ahead of the curve in planning for the new legislation, others are wondering where to begin in dealing with the large volume of supplier contracts that will need to be made GDPR compliant by the deadline date.
The key purpose of GDPR is to increase and protect the rights of EU data subjects by creating clear channels of accountability over data processing. The new data protection laws will extend to any organization that collects or processes the personal data of EU residents – regardless of whether the organization is based in the EU.
The EU General Data Protection Regulation (GDPR) has leapfrogged to the top of the risk agenda for many organizations as the 25 May 2018 deadline approaches.
Contracts with third-party suppliers that have access to EU personal data will need to be reviewed and addressed to ensure they meet GDPR requirements or organizations risk paying substantial penalties for non-compliance of up to €20 million or 4% of annual global turnover – whichever is the higher.
Significant risk to data controllers
Under GDPR the burden for personal data protection lies primarily with data ‘controllers’ or those entities that ‘own’ personal data and make decisions over how it’s processed – a significant change from the current UK Data Protection Act.
Controllers will be responsible for compliance with GDPR’s processing rules and will be held liable even when another organization or data ‘processor’ is contracted to carry out these activities. This is not to say that processors are off the hook. Processors have additional responsibilities under GDPR and face greater liability for non-compliance or where they act beyond the scope of authority agreed with the controller.
Nonetheless, increased liabilities on controllers mean it is crucial for data owners to urgently review their external agreements with those third-party suppliers that have access to EU personal data to ensure they are GDPR compliant.
Implementing risk measures
There are several steps that organizations will need to follow when reviewing and addressing supplier contracts to ensure they meet GDPR requirements.
The first is to establish which suppliers the new GDPR rules affect and desired outcomes in terms of contractual relationships. Categorize contracts on this basis, prioritizing those suppliers that are considered business critical. An overarching treatment strategy for each category will help to determine how contracts are managed, as well as informing any subsequent negotiation process.
Penalties for non-compliance can be up to €20 million or 4% of annual global turnover – whichever is the higher.
Engage with suppliers to agree new terms and conditions. Suppliers may want to discuss specific agreement clauses and push back on proposed limits of liability, indemnities and other similar clauses to address the new risks. They may also want to renegotiate commercial terms to cover increased compliance costs and greater risks. Where contractual negotiations are required, aim to deliver a signed agreement or implement alternative strategies as needed.
Finally, in addition to addressing supplier contracts it is essential that data controllers have adequate internal processes in place. Among the factors to consider are the need for detailed record-keeping procedures and whether internal data protection policies need to be updated ahead of the new legislation coming into effect.
The introduction of GDPR is imminent. The sheer volume of supplier contracts that some organizations will need to deal with in what is now a relatively short space of time means doing nothing is no longer an option. The potential consequences of inaction include severe fines and penalties, breach of contract with suppliers and customers, a ban on data processing activities, not to mention significant reputational damage. The time to act is now.