GDPR and Contracts: Data Compliance in a Global World

It looks like a standard clickbait headline: “If you forget to do this, your company could be fined €20 million!” As fake as this headline sounds, there is much more than a kernel of truth in it – in fact, it refers to the very real General Data Protection Regulation (GDPR). The GDPR was passed by the EU on April 27, 2016 and goes into effect on May 25, 2018, and introduces sweeping changes for data management, use, and protection.

The GDPR’s impact will be felt worldwide, even by companies operating outside of Europe. Any company that processes personal data of EU residents is subject to GDPR rules (and severe penalties for noncompliance), regardless of where it is located. “Processing” is an expansive definition within the GDPR that includes collection, storage, dissemination, or deletion of data. In essence, if your company handles personal data of EU residents in any way, your company will likely be subject to the GDPR.

The GDPR’s 88 pages cover numerous areas, but today we’re only going to highlight a few of these as they relate to contracts. Companies impacted by the GDPR need to review their current contracts carefully, and ensure that new contracts include language appropriate for the GDPR requirements.

Controllers vs. Processors – Duties and Liabilities

It is important to understand how the GDPR distinguishes between controllers of data and processors of data. Per the GDPR definitions, a controller is the party which “determines the purposes and means of the processing of personal data,” whereas a processor is the party which “processes personal data on behalf of the controller.”

The controller is responsible for complying with the personal data principles laid out in Article 5 of the GDPR, which include:

  • Lawfully, fairly, and transparently processing data
  • Limiting data collection to what is required for a legitimate, specific purpose
  • Minimizing the amount of data processed to what is adequate and relevant
  • Ensuring accurate data that is erased or corrected in a timely manner
  • Retaining data for an appropriate amount of time and deleting when no longer needed
  • Processing data with integrity and confidentiality

The processor, on the other hand, must comply with the principles outlined in Article 28 of the GDPR, including:

  • Only processing data based on documented instructions from the controller
  • Ensuring confidentiality of those individuals processing the data
  • Deleting or returning all data to the controller upon completion of services
  • Providing evidence of compliance to controller

Due to increasing complexity in the information supply chain, many companies are both processors and controllers. This creates situations where contracts can be between two “intermediate” processors both under the instruction of a third-party controller. Thus, when assessing your contracts, you must determine whether your entity is the controller or the processor, as the regulatory requirements are very different between the two. This assessment must occur on a per-contract basis to avoid costly mistakes.

Contractual Requirements Under GDPR

The GDPR also outlines numerous contractual requirements between controllers and processors. These requirements are usually beneficial to the controller, putting a high degree of responsibility on the processor. Viewed differently, these requirements are “best practices” enshrined in regulation that help ensure data integrity, confidentiality, and security.

Operating Under Instruction

Processors may only take data processing action based on documented instructions from the controller. You may want to review your contracts to ensure that these instructions are either clearly stated therein, or that contracts clearly indicate sources and procedures around instructions.

Ensuring Confidentiality

Processors must ensure confidentiality of data by requiring that individuals who process personal data have a contractual or statutory obligation of confidentiality. Standard terms, like scope of confidential information and the duration or term, should be included in contracts.

Taking Appropriate Security Measures

Article 32 of the GDPR mandates that processors assess the risk of the data being processed and implement security measures that are proportional to the assessed risk. These measures include data encryption and pseudonymization, vulnerability testing, and processes for restoration of data. Many organizations will need to review and compare these requirements with their existing Information Security Programs and Policies, like ISO 27001.

Sub-Processor Restrictions

Processors are limited in their ability to subcontract processing work unless written authorization has been given by the controller. Depending on whether you are a processor or a controller, you may want to ensure these terms are explicit in your agreements, and that mechanisms or audits are in place for verifying their accuracy.

Data Subjects’ Rights

If individual data subjects assert their rights under Chapter III of the GDPR, processors must assist controllers in responding to this request. The processor’s response may differ based on the nature of the data processing, as well as the processor’s technical abilities. Processors and controllers may need to negotiate terms around these responsibilities (for example, to compensate processors reasonably).

Security Breaches

In the event of a security breach, most of the reporting requirements fall on the controller, but in the event that a processor discovers a breach, it must inform the controller “without undue delay.” In many cases, controllers and processors may want to explicitly define acceptable delays; for example, processors working with sensitive financial information might be required to notify their counterparty within 24 hours.

Completion of Contract

The contract must address what action should be taken with respect to the processed data. Unless EU or Member State laws require retention of personal data, the controller dictates whether the processor is to delete or return data upon completion of services. The length of retention can translate to significant ongoing storage and security costs. Because of this, processors and controllers should carefully document and review these terms and requirements.

Evidence of Compliance

Processors are to cooperate with controllers or other controller-directed auditors to demonstrate conformity with the GDPR requirements. They should be prepared to provide appropriate evidence to support their compliance. However, it is up to controllers and processors to negotiate how processors are compensated for these activities. Processors and controllers should review their contracts to identify and negotiate any related provisions, as the cost of these audits can be significant.

What Next?

You’re hopefully now more aware of the problems created by the GDPR, but what can you do to help address these problems? In our next post, we’ll shift the conversation to approaches and solutions, including how contract and document analytics tools can help. Stay tuned!