Share this
Contract Management Considerations for GDPR Compliance
by Dermot Whittaker on January 15, 2019
The GDPR (General Data Protection Regulation) of the European Union became effective on May 25, 2018. Organizations inside and outside the EU should comply by that date, but many are still getting there. Reaching and remaining in GDPR compliance is an ongoing responsibility that affects an organization’s contractual commitments. Here is an overview.
What is GDPR?
GDPR is a regulation of the European Union adopted by the European Parliament and published May 24, 2016. It became effective May 25, 2018. The purpose of GDP is to clearly state both the rights of persons based in the EU with regard to data collected from or about them and the responsibilities of organizations that collect, use, or process that data. GDPR replaces the previous EU regulation Data Protection Directive 95/46/EC.
Who is affected by GDPR?
The regulation defines three key groups.
- Data Subjects – the natural persons based in the EU whose data is being collected and processed. GDPR states and upholds the rights of data subjects to consent in positive and unambiguous terms to the collection of any data about them, with a clear understanding of the purposes to which the data is being put. Among many rights of data subjects are the right to see the data collected (including data about their behavior), the right to receive their data in a portable format, the right to have their data deleted, and the right to be notified when their data has been unlawfully accessed.
- Data Controllers – organizations who collect and control the personal data of data subjects based in the EU. Based on this description, controllers include organizations within and outside of the EU.
- Data Processors – organizations who store or otherwise process the personal data of data subjects. For most companies, this means the cloud or data storage services that handle personal data of employees, customers, persons marketed to, and other data subjects.
Importantly, GDPR defines the obligation of data controllers and processors to organize their business and technical systems to both respect the rights of data subjects and protect their data from unauthorized access or theft. To this end, GDPR specifically stipulates that “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”
Processors have the same requirement to insure compliance by other processors (in essence, their subcontrators) that they rely on to handle personal data.
What are the risks of non-compliance with GDPR?
There is a range of disciplinary actions but two are worthy of note:
- For infringements of provisions regarding the obligations of the controller and the processor, administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher
- For infringements of provisions regarding the basic principles for processing, including conditions for consent, and data subjects’ rights, to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher
While the larger fines (20M Euros/4% annual turnover) associated with protecting data subjects’ rights have attracted the most attention, the lesser fines (10M Euros/2% annual turnover) associated with an organization’s obligation to protect data are significant.
How does GDPR impact contract management?
GDPR was written with business needs in mind as well as personal data rights. The goal is to make responsibilities clear across the EU so business can proceed predictably. The need for maintaining personal data in contractual relationships is specifically addressed in the regulation. Consequently, the legal impact of GDPR on any organization needs to be determined by its legal team in light of the entire regulation.
That said, failure to conform to GDPR – whether by your organization or by another with whom personal data is processed – clearly presents risks.
Legal professionals and contract managers have some time-consuming tasks in front of them.
- Identify risk in executed contracts. Current contracts govern your business relationships, including any that require the exchange of personal information. Legal will review these agreements to see if they present risk of non-compliance with GDPR. Two areas worth exploring: adequate permission for collecting personal data and clear statements of responsibility and liability around protection of personal data. Addendums to existing contracts may need to be drafted and executed.
The Challenge: systematically locating, reviewing, and adding addendums to current contracts. Organizations whose contracts are stored electronically will reduce search and review time. Those with a contract management system will be able to automate the processing of addendums to these contracts, ideally using e-signature to send and execute these agreements.
- Ensuring use of appropriate terms and conditions in new contracts. Protection of data subjects’ rights may require new language in contracts. For example, GDPR explains in detail what constitutes freely given consent for data collection; attorneys will deploy terms or conditions that comply with that understanding of consent. GDPR also requires contracts between an organization and its data processors such as web-based storage or fulfillment services. Attorneys will want consistent language in these processor contracts to stipulate how personal data will be processed and protected, to require certifications from processors demonstrating their compliance with GDPR, to specify indemnity protection and liability caps. Insurance policies with new language addressing the risks of data breaches or non-compliance with GDPR may be called for.
The Challenge: Once new language is drafted by legal, it will need to be consistently applied to new contracts where it is appropriate. Insuring that this happens will be easier if contract templates are centralized and controlled electronically. For contracts between data controllers and data processors, negotiation around indemnification and liability is likely. A contract management system can reduce risk by ensuring that these highly negotiated provisions receive review by legal or business approvers.
- Tracking obligations around data storage and protection. Under GDPR, data controllers and data processors both have responsibility for protecting personal data and for storing it in compliance with the rights of data subjects. Current contracts may well address the protection of data from hacks, theft or unauthorized access. What is new is the obligation to store the data in a manner compatible with the data subjects’ rights under GDPR. Data subjects should be able to see their data, have inaccuracies corrected, receive their data in portable form, or request that it be deleted. Failure to store personal data so that these requests can be met may result in fines as described above. Consequently, an organization should have a way to track contractual obligations of processors to maintain and protect data consistent with GDPR requirements. Ideally, these obligations should be checked periodically and a record of these checks maintained as evidence of the organization’s good faith efforts to maintain personal data responsibly.
The Challenge: Creating obligations as records in a spreadsheet can be an adequate way to track one-time obligations. Ongoing obligations with recurring check-in dates are at risk when the process of remembering and checking on the obligations is manual. A contract management system that sets recurring tasks to check on contractual obligations and assigns these tasks to an owner, with reminders and escalations, is a better way to stay in compliance with ongoing obligations. This includes the obligations to maintain and process personal data safely and with the controls required by GDPR.
Share this
- Blog Posts (39)
- contract management software (38)
- contract management (35)
- SharePoint (9)
- contract managers (7)
- office 365 (6)
- Microsoft (5)
- contract lifecycle management (5)
- contract management needs (4)
- contract professionals (4)
- Microsoft Dynamics 365 (3)
- ROI (3)
- automation (3)
- contract economics (3)
- corridor company (3)
- efficiency (3)
- enterprise contract management (3)
- legal professionals (3)
- Change Management (2)
- IACCM (2)
- Sales Pipeline (2)
- SharePoint 2013 (2)
- Tim Cummins (2)
- bottlenecks (2)
- effectiveness (2)
- process improvement (2)
- procurement (2)
- return on investment (2)
- Arizona (1)
- Blockchain (1)
- Blue Cross of Idaho (1)
- Buy Side VS Sell Side (1)
- CRM (1)
- CSS (1)
- Central Administration Service (1)
- Contract Clause (1)
- Contract Creation Module (1)
- Contribute Permission (1)
- Digital Signature (1)
- DocuSign (1)
- Efficient (1)
- Essential SharePoint 2013 (1)
- GDPR (1)
- IACCM America (1)
- IT (1)
- Javascript (1)
- Jquery (1)
- Las Vegas (1)
- Merger And Acquisition process (1)
- Microsoft SharePoint Conference (1)
- NDA (1)
- Negotiation Strategies (1)
- Nevada (1)
- Phoenix (1)
- Power Shell (1)
- RFP (1)
- Richard Susskind (1)
- SharePoint 2010 (1)
- SharePoint Conference (1)
- Tomorrow's Lawyer (1)
- Web Designers (1)
- West Australian Health Department (1)
- Windows Azure (1)
- Workflow Automation (1)
- Yammer (1)
- breach of contract (1)
- business case (1)
- clm software (1)
- clm system (1)
- compliance (1)
- contract administrator (1)
- contract audit (1)
- contract cycle times (1)
- contract management for healthcare (1)
- contract management tools (1)
- contract manager (1)
- contract risk (1)
- contracting errors (1)
- eContracts (1)
- elements of a contract (1)
- equal (1)
- implementation (1)
- innovation (1)
- legally binding (1)
- love (1)
- migration (1)
- playbook (1)
- real estate (1)
- request for proposal (1)
- revenue leakage (1)
- sales (1)
- self-service contracts (1)
- sell side (1)
- sharepoint on-premises (1)
- subcontractors (1)
- supply chain management (1)
- valentines (1)
- May 2022 (2)
- April 2022 (1)
- March 2022 (1)
- April 2021 (2)
- March 2021 (2)
- February 2021 (2)
- December 2020 (1)
- November 2020 (2)
- October 2020 (4)
- November 2019 (1)
- October 2019 (1)
- September 2019 (3)
- August 2019 (5)
- July 2019 (1)
- June 2019 (2)
- May 2019 (4)
- March 2019 (3)
- February 2019 (5)
- January 2019 (5)
- December 2018 (7)
- November 2018 (6)
- October 2018 (4)
- September 2018 (1)
- August 2017 (1)
- July 2017 (1)
- April 2017 (1)
- February 2017 (1)
- January 2017 (1)
- September 2016 (1)
- June 2016 (3)
- May 2016 (1)
- April 2016 (4)
- December 2015 (1)
- October 2015 (1)
- September 2015 (2)
- May 2015 (1)
- February 2015 (2)
- November 2014 (1)
- October 2014 (2)
- September 2014 (3)
- July 2014 (1)
- June 2014 (1)
- April 2014 (3)
- March 2014 (2)
- February 2014 (2)
- January 2014 (1)
- October 2013 (1)
- September 2013 (2)