By Fiona Moss, Associate in the Corporate & Commercial team
The GDPR will be directly applicable in the UK from 25 May 2018. This guidance describes how the GDPR will impact on contracts you are currently negotiating or already have in place and the changes you will need to make.
Most current agreements will include data protection clauses – even if these simply state each party will comply with their respective obligations under the Data Protection Act (and most will go much further than this), the GDPR requires that contracts set out various mandatory items and contain certain obligations on data processors.
To retain the existing data provisions without amendment is running the risk of breaching the GDPR as soon as it applies in May.
WHAT CHANGES ARE REQUIRED?
1. Correctly Identify your Data Role
Before you can determine what changes your contracts require, you will need to determine the role your business plays in the obtaining or processing of information.
Under the GDPR, a data “controller” is a person who determines the purposes and means of processing information. A data “processor” is a person who processes (collects, organises, stores, uses) information on behalf of a controller.
In many cases, you may take on the role of controller in some instances and processor in others depending on the business relationship.
For example, if your business uses managed IT services, cloud service, web hosting, third party payroll services or off-site storage, you will be the data controller in respect of these business relationships. This is the case even where your business usually carries out the role of a data processor. It is not always clear cut. For instance, where you are a data processor but have discretion as to how information can be used, that might make you a controller or joint data controller.
It is important to identify the role in order to determine the extent of your obligations under the GDPR and negotiate appropriate changes in your contracts.
2. Review of Agreements
Having correctly identified the role your business takes, existing contracts will need to be amended and any new contracts which continue post 25 May 2018 should be drafted with GDPR-ready provisions (which could apply now or with effect from 25 May 2018). Although we await guidance from the Working Party and Information Commissioner’s Office (ICO) which may issue model wording as envisaged by the GDPR, it is advisable to commence negotiations based on the requirements enshrined in the GDPR and reserve the ability to make further changes based on any such future guidance.
(a) Is doing nothing an option?
The risk of not drafting/amending your contracts to address the GDPR (either at all or until it becomes law) is that if your contracts do not contain the obligatory provisions by 25 May 2018:
you will be in breach of the obligations under the GDPR and so subject to possible sanction from the ICO and negative publicity; and
liability to the other party may arise due to non-compliance;
It is very unlikely that current agreements will contain the compulsory provisions set out in the GDPR. Doing nothing is only really an option for parties where agreements will not continue beyond 25 May 2018. Even data processors whose requirements are less extensive will want to ensure that appropriate indemnities are in place to ensure they can recover a contribution for any compensation they are required to pay a data subject where they are only partially at fault. Data processors should ensure they are given clear instructions by data controllers in their contracts in order to comply with the provisions of the GDPR which state you may only process data on the instructions of the data controller.
(b) Do our existing contracts need to be terminated and re-negotiated?
You do not need to do this, although some businesses may choose this route using the GDPR as a reason to re-open negotiations on more than data related provisions.
(c) How should amendments be made?
Changes to existing agreements must be made in accordance with the terms of the contract. These may, for example, contain formalities such as any changes to be agreed in writing only with the authority of a particular individual.
Unless mutual promises are given, documents setting out the amendments should be executed as a deed. Additional considerations may apply if a person that is not a party to the contract has a right to enforce those provisions e.g. group companies.
As the GDPR sets out extensive stipulations to be included in contracts, it is likely to be easiest to address these in schedules to the original agreement which are signed by both parties.
(d) GDPR contractual stipulations for Data Controllers
Data controllers are required to set out in contracts the nature and purpose of the processing, the type of personal data and categories of data subjects.
Additionally, the following obligations on the processor must be included:
to process personal data only on the written instructions of the controller;
to ensure that anyone (including the processor’s employees) who is authorised to process personal data agrees to keep that personal data confidential or is under an appropriate statutory obligation of confidentiality;
to take all measures required under the GDPR to ensure that the processor complies with the requirements around keeping personal data secure;
not to engage a sub-processor without specific or general authority of the controller;
to assist the controller with responding to data subjects exercising the rights that they have under the GDPR;
to assist the controller in complying with security obligations, notification of security breaches, and data protection impact assessments;
to delete or return all personal data to the controller (at its option) after the end of the provision of services; and
to make available to the controller all information necessary to demonstrate compliance with the processor’s obligations under the GDPR and allow (and contribute to) the controller’s audits.
(e) Data Processor Provisions
If you are a data processor contracting on your own standard terms of business, you may want to consider what provision should be made in your standard terms for the above controller requirements, which will likely be demanded by your customers.
Under the GDPR, processors are required to process personal data in accordance with the controller’s instructions. It is in the interest of both controllers and processors to make sure instructions are set out as clearly as possible. You may want to ensure in your contracts that controllers are required to give instructions which are clear and unambiguous and provided in a timely manner.
Additionally, it would be advisable to state that you have the authority of the controller if you intend to have any other processor (including for example web hosting and cloud solutions) sub-process the data. You will also need to ensure your agreements with such third party sub-processors reflect the same contractual obligations you have with the controller. As you remain liable to the controller for the actions or inactions of any sub-processor, appropriate indemnities should be included in the sub-processor contracts.
(f) Indemnities and Limitations
If you fail to comply with the GDPR requirements, the ICO could take various actions which include, although we do not expect to find this type of sanction in the ordinary course, fines of the greater of €10m or up to 4% of annual global turnover for certain breaches. It will also therefore be important to review any limitation on liability provisions and indemnities to ensure that the increased exposure is covered. Such provisions may not be contained within the data protection sections and therefore wholesale review of an agreement may be needed.
In addition to including the mandatory obligations on data processors and other desirable amendments, contracts should be reviewed to ensure that the terminology in the GDPR replaces any DPA provisions. For example, the definition of “personal data” in the GDPR now includes online identifiers (such as IP addresses) and updates the definition of “sensitive personal data” (or “special category personal data”) to include genetic data, biometric data and data concerning sexual orientation.
As already indicated, the GDPR significantly increases the possible fines for data breaches. You may accordingly review insurance policies, coverages and exceptions to determine whether liability and fines for data breaches and other GDPR obligations are covered. In addition to this, any requirements to insure in the contracts may need to be amended to reflect the risk of GDPR penalties.
Transfer of Data outside of the EU
Where data is transferred to a non EU country or territory which is not deemed to have adequate data protection and security by the Commission, further contractual clauses in a standard form are required in order to ensure adequate safeguards. These are also compulsory.
All businesses, whether acting as data controller, processor or both, will need to put in place contractual amendments or GDPR-compliant provisions. Businesses should address these now in order to have agreements compliant as of 25 May 2018 when the GDPR comes into force.
In spite of the absence of finalised official guidance and model clauses, businesses should not delay. There are many template provisions which set out the compulsory provisions under the GDPR to be included in contracts. However, contract reviews may need to go further in addressing limitations, indemnities, insurance and terminology which will be unique to the parties of a particular agreement.
Mundays’ commercial team can assist with any contractual review and help get your contracts GDPR compliant and protect your exposure whether a data controller or processor. Please contact Fiona Moss for further information.
ICO getting ready for GDPR