To celebrate international Data Privacy Day 2021 (well we need something to celebrate, don’t we?), the Birketts Data Protection Team has produced a series of data protection top tips articles. This bite-sized advice series is designed to provide you with some easily digestible compliance tips, focusing on some of the key issues we see clients dealing with on a daily basis. Today we are focusing on data protection and contracts. Andrew Priest, shares his data protection top tips…
- Contract terms: If you are processing personal data on behalf of a client or customer who is a controller of the data, or if you are a controller of personal data and are asking a supplier to process that personal data on your behalf, in both cases you need to make sure that your written contract contains terms which cover certain important areas of data protection. These terms include a commitment by the processor to implement appropriate technical and organisational measures so that the personal data is protected. Failure to include these contract terms is a breach of the data protection legislation for both processor and controller.
- Limiting liability: Failure to comply with contract terms for data processing or failure to comply with the data protection legislation can result in claims for compensation from data subjects, fines from the ICO or claims for breach of contract. If you are a processor you should consider whether it is appropriate to seek to limit your liability under the contract (clue – it almost is always appropriate). If you are a controller you may no longer be able to insist on unlimited liability. Much will depend on the nature and extent of the personal data that is being processed, and on the terms of available insurance cover.
- Data transfers out of the UK: If you wish to transfer personal data outside of the EEA, you may need to put in place a set of standard contractual clauses so that the data is protected when it is processed in a country outside of the EEA. The EU-US Privacy Shield is no longer valid as a mechanism for the transfer of personal data to the US (as a result of a court decision last year), so you will need to have standard contract clauses in place or rely on particular derogations which allow transfers of personal data in specific situations. An assessment of data transfer risks is required before any personal data is transferred outside of the EEA, even if the intention is to use standard contractual clauses.
- Data transfers into the UK: If you are receiving personal data from a country in the EEA that can continue until at least the end of April this year without being subject to any restrictions. That period may be extended to the end of June. After that time, if the UK is not covered by an adequacy decision of the European Commission (it isn’t at the moment), you may need to have standard contractual clauses in place to allow for continued transfers of personal data. The ICO recommends that appropriate safeguards (such as the standard contractual clauses) are put in place by the end of April.
- What to look out for: Now that the transition period for leaving the EU has ended, the UK can produce its own set of standard contractual clauses for use in relation to restricted transfers of personal data from the UK. We expect draft clauses to appear later in the year. The EU has already produced its own draft standard contractual clauses and is consulting on these. Also, watch out for more standard or recommended contract drafting from the ICO. Contract terms are an important part of being able to demonstrate compliance with data protection laws.