The General Data Protection Regulations (the “GDPR”) will come into force on 25th May 2018. The GDPR will replace the current data protection legislation in Ireland and the EU. It will bring significant new compliance requirements and sanctions for non-compliance (in some cases up to €20m or 4% of worldwide turnover – whichever is higher) and potential personal liability for company officers.
Business owners and compliance officers could be forgiven if they felt overwhelmed by GDPR. Compliance is not straightforward – but it is achievable if approached in the right manner. Compliance is not something that will be “nice to have” – it will affect how businesses contract with service providers and those who rely on them for work – i.e. those who pay the bills!
Currently, we are experiencing an array of queries in respect of GDPR compliance and readiness projects. For businesses, one of the areas that stand out is the changes to the law regarding data controllers and data processors. Up to date, data processors had limited responsibilities under law (e.g. to only act under instructions by the data controller and to ensure adequate levels of security). Under GDPR, data processors will have direct responsibilities in more areas and may be held jointly and severally liable with a data controller for breaches.
Why is this relevant to my business? If your business outsources any function to a third party, it is quite likely that third party will be a data processor. The outsourcing contract might be a HR function, a marketing service or you might have engaged an IT provider to provide support services to your business.
Where contracts are in place currently, they are unlikely to have been drafted to be GDPR compliant, and as a result existing contracts need to be reviewed and often re-drafted.
Article 28 of the GDPR sets out certain provisions that must be included in the contract between the controller and processor – for example, that the processor
- will only process data based on the instructions of the controller;
- will ensure the persons authorised to process personal data have committed themselves to confidentiality;
- will take all required security measures under the GDPR;
- will assist the controller in ensuring compliance with their obligations under the GDPR. (This would include keeping record of the purposes of the processing, the categories of the personal data, the period for which the personal data will be stored, etc.);
- must allow the controller carry out audits.
If the party providing the service (i.e. the processer) is itself engaging a separate organisation to carry out some or all of the work envisaged – there are also rules on that. The processors obligations must flow down via contract to that sub-processor – but the original processor is still on the hook for breaches.
What does it mean for winning business?
One of the principal changes under GDPR is the requirement to demonstrate compliance – so, not only must a controller comply with the rules of GDPR, it must also be able to show how it complies (known as the accountability principle).
Ensuring that your commercial contracts are GDPR compliant is a key part of this process. By way of example, a data controller has 72 hours to report relevant data breaches – therefore any contract with a processor should cater for this obligation so that the controller is best placed to deal with a relevant data breach quickly and in line with the requirements of GDPR. In addition, given the rights of individuals under GDPR, including the right to be forgotten, the right to restrict processing, data portability and rectification – in order to be able to meet these requirements, data controllers needs to be sure that its processors are GDPR compliant and that they have the technical and organisation measures in place and will be able to assist the controller in demonstrating compliance.
From a processor (or outsource provider) point of view, they can be held jointly and severally liable for breaches – therefore appropriate contractual protections should be included in commercial contracts to mitigate this risk and insurance coverage should be reviewed in light of GDPR.
Whatever way you look at it – from a legal, commercial and/or risk perspective – having a GDPR compliant commercial contract is an absolute must for organisations engaging third parties. Equally for processors, unless your organisation has taken preparatory steps to comply with GDPR, you will find the obligations within these commercial contracts onerous and in some cases your ability to sign up to these contracts and demonstrate how you comply with GDPR, will be the difference between winning and losing business.
What can you do?
Businesses should be undertaking a GDPR readiness programme already – some businesses will be nearing the end of that journey. If this is yet to begin – do not panic, but doing nothing is not a feasible option and could seriously jeopardise your business model and reputation. Businesses can begin by undertaking a data mapping exercise to understand what data is held, why, where, the legal basis etc.
From there, a structured plan can be developed to update contracts, policies and organisational practices. As a result, when the new contract lands from that large customer, or when a tender for a particular project arises, the business will be able to navigate the contractual obligations that companies and public bodies require from their service providers.