Contract Management Considerations for GDPR Compliance

The GDPR (General Data Protection Regulation) of the European Union became effective on May 25, 2018. Organizations inside and outside the EU should comply by that date, but many are still getting there. Reaching and remaining in GDPR compliance is an ongoing responsibility that affects an organization’s contractual commitments. Here is an overview.

What is GDPR?
GDPR is a regulation of the European Union adopted by the European Parliament and published May 24, 2016. It became effective May 25, 2018. The purpose of GDP is to clearly state both the rights of persons based in the EU with regard to data collected from or about them and the responsibilities of organizations that collect, use, or process that data. GDPR replaces the previous EU regulation Data Protection Directive 95/46/EC.

Who is affected by GDPR?
The regulation defines three key groups.

• Data Subjects – the natural persons based in the EU whose data is being collected and processed. GDPR states and upholds the rights of data subjects to consent in positive and unambiguous terms to the collection of any data about them, with a clear understanding of the purposes to which the data is being put. Among many rights of data subjects are the right to see the data collected (including data about their behavior), the right to receive their data in a portable format, the right to have their data deleted, and the right to be notified when their data has been unlawfully accessed.
• Data Controllers – organizations who collect and control the personal data of data subjects based in the EU. Based on this description, controllers include organizations within and outside of the EU.
• Data Processors – organizations who store or otherwise process the personal data of data subjects. For most companies, this means the cloud or data storage services that handle personal data of employees, customers, persons marketed to, and other data subjects.

Importantly, GDPR defines the obligation of data controllers and processors to organize their business and technical systems to both respect the rights of data subjects and protect their data from unauthorized access or theft. To this end, GDPR specifically stipulates that “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”

Processors have the same requirement to insure compliance by other processors (in essence, their subcontrators) that they rely on to handle personal data.

What are the risks of non-compliance with GDPR?
There is a range of disciplinary actions but two are worthy of note:

• For infringements of provisions regarding the obligations of the controller and the processor, administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher
• For infringements of provisions regarding the basic principles for processing, including conditions for consent, and data subjects’ rights, to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher

While the larger fines (20M Euros/4% annual turnover) associated with protecting data subjects’ rights have attracted the most attention, the lesser fines (10M Euros/2% annual turnover) associated with an organization’s obligation to protect data are significant.

How does GDPR impact contract management?
GDPR was written with business needs in mind as well as personal data rights. The goal is to make responsibilities clear across the EU so business can proceed predictably. The need for maintaining personal data in contractual relationships is specifically addressed in the regulation. Consequently, the legal impact of GDPR on any organization needs to be determined by its legal team in light of the entire regulation.

That said, failure to conform to GDPR – whether by your organization or by another with whom personal data is processed – clearly presents risks.

Legal professionals and contract managers have some time-consuming tasks in front of them.

• Identify risk in executed contracts. Current contracts govern your business relationships, including any that require the exchange of personal information. Legal will review these agreements to see if they present risk of non-compliance with GDPR. Two areas worth exploring: adequate permission for collecting personal data and clear statements of responsibility and liability around protection of personal data. Addendums to existing contracts may need to be drafted and executed.
  
  The Challenge: systematically locating, reviewing, and adding addendums to current contracts. Organizations whose contracts are stored electronically will reduce search and review time. Those with a contract management system will be able to automate the processing of addendums to these contracts, ideally using e-signature to send and execute these agreements.

• Ensuring use of appropriate terms and conditions in new contracts. Protection of data subjects’ rights may require new language in contracts. For example, GDPR explains in detail what constitutes freely given consent for data collection; attorneys will deploy terms or conditions that comply with that understanding of consent. GDPR also requires contracts between an organization and its data processors such as web-based storage or fulfillment services. Attorneys will want consistent language in these processor contracts to stipulate how personal data will be processed and protected, to require certifications from processors demonstrating their compliance with GDPR, to specify indemnity protection and liability caps. Insurance policies with new language addressing the risks of data breaches or non-compliance with GDPR may be called for.
  
  The Challenge: Once new language is drafted by legal, it will need to be consistently applied to new contracts where it is appropriate. Insuring that this happens will be easier if contract templates are centralized and controlled electronically. For contracts between data controllers and data processors, negotiation around indemnification and liability is likely. A contract management system can reduce risk by ensuring that these highly negotiated provisions receive review by legal or business approvers.

1. Tracking obligations around data storage and protection. Under GDPR, data controllers and data processors both have responsibility for protecting personal data and for storing it in compliance with the rights of data subjects. Current contracts may well address the protection of data from hacks, theft or unauthorized access. What is new is the obligation to store the data in a manner compatible with the data subjects’ rights under GDPR. Data subjects should be able to see their data, have inaccuracies corrected, receive their data in portable form, or request that it be deleted. Failure to store personal data so that these requests can be met may result in fines as described above. Consequently, an organization should have a way to track contractual obligations of processors to maintain and protect data consistent with GDPR requirements. Ideally, these obligations should be checked periodically and a record of these checks maintained as evidence of the organization’s good faith efforts to maintain personal data responsibly.
   
   The Challenge: Creating obligations as records in a spreadsheet can be an adequate way to track one-time obligations. Ongoing obligations with recurring check-in dates are at risk when the process of remembering and checking on the obligations is manual. A contract management system that sets recurring tasks to check on contractual obligations and assigns these tasks to an owner, with reminders and escalations, is a better way to stay in compliance with ongoing obligations. This includes the obligations to maintain and process personal data safely and with the controls required by GDPR.