One of the larger tasks facing organizations as they prepare for the new EU General Data Protection Regulation is how to tackle data governance and compliance controls in the supply chain. This is often the Achilles heel for compliance risk, and the very prescriptive requirements of GDPR will require a thorough review of due diligence, contracting and ongoing contact management and audit practices.
GDPR imposes stringent requirements for controllers appointing processors, including prescribing terms that must be stipulated in a contract or other legal act (Article 28). The European Commission and supervisory authorities have the power to adopt standard contractual clauses to meet these new requirements.
As a result, organizations need contract language that helps them tackle the sizeable "re-papering" challenge and ensure supply chains are GDPR ready for May 25, 2018.
DLA Piper has been collaborating with the International Regulatory Strategy Group (IRSG), a UK-based body led by practitioners from the financial and professional services industry. IRSG aims to be one of the leading cross-sectoral groups in Europe for the financial and related professional services industries to discuss and act upon regulatory developments.
Together with IRSG, we have created a standard set of template GDPR processor terms intended to meet the requirements of GDPR Article 28 and also build in controller-to-processor standard contractual clauses for restricted transfers. Although the IRSG is largely made up of organizations in the financial services sector, the terms are not sector specific and serve as a useful resource for organizations across all sectors.